diff --git a/api/hypershift/v1beta1/hostedcluster_helpers.go b/api/hypershift/v1beta1/hostedcluster_helpers.go
new file mode 100644
index 000000000000..20f4b70e63ee
--- /dev/null
+++ b/api/hypershift/v1beta1/hostedcluster_helpers.go
@@ -0,0 +1,43 @@
+package v1beta1
+
+// EffectiveShards returns the effective shard configuration for managed etcd.
+// If shards are not explicitly configured, returns a default single shard.
+func (m *ManagedEtcdSpec) EffectiveShards(hcp *HostedControlPlane) []ManagedEtcdShardSpec {
+ if len(m.Shards) > 0 {
+ return m.Shards
+ }
+
+ replicas := int32(1)
+ if hcp.Spec.ControllerAvailabilityPolicy == HighlyAvailable {
+ replicas = 3
+ }
+
+ return []ManagedEtcdShardSpec{
+ {
+ Name: "default",
+ ResourcePrefixes: []string{"/"},
+ Priority: EtcdShardPriorityCritical,
+ Replicas: &replicas,
+ BackupSchedule: "*/30 * * * *",
+ },
+ }
+}
+
+// EffectiveShards returns the effective shard configuration for unmanaged etcd.
+// If shards are not explicitly configured, returns a default single shard using
+// the legacy endpoint and tls fields.
+func (u *UnmanagedEtcdSpec) EffectiveShards() []UnmanagedEtcdShardSpec {
+ if len(u.Shards) > 0 {
+ return u.Shards
+ }
+
+ return []UnmanagedEtcdShardSpec{
+ {
+ Name: "default",
+ ResourcePrefixes: []string{"/"},
+ Priority: EtcdShardPriorityCritical,
+ Endpoint: u.Endpoint,
+ TLS: u.TLS,
+ },
+ }
+}
diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go
index d99f765f090f..60cf4adae79c 100644
--- a/api/hypershift/v1beta1/hostedcluster_types.go
+++ b/api/hypershift/v1beta1/hostedcluster_types.go
@@ -1900,6 +1900,8 @@ type EtcdSpec struct {
// HyperShift.
type ManagedEtcdSpec struct {
// storage specifies how etcd data is persisted.
+ // When shards are specified, this serves as the default for all shards
+ // unless overridden per-shard.
// +required
// +kubebuilder:validation:XValidation:rule="has(self.restoreSnapshotURL) == has(oldSelf.restoreSnapshotURL)",message="restoreSnapshotURL cannot be added or removed after creation"
Storage ManagedEtcdStorageSpec `json:"storage"`
@@ -1910,6 +1912,81 @@ type ManagedEtcdSpec struct {
// +optional
// +openshift:enable:FeatureGate=HCPEtcdBackup
Backup HCPEtcdBackupConfig `json:"backup,omitzero"`
+
+ // shards configures etcd sharding by Kubernetes resource kind.
+ // When not specified, a default single shard accepting all prefixes is used.
+ // When specified, exactly one shard must have "/" in its resourcePrefixes.
+ // +optional
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=10
+ // +listType=map
+ // +listMapKey=name
+ // +kubebuilder:validation:XValidation:rule="self.exists(s, '/' in s.resourcePrefixes)",message="exactly one shard must have '/' prefix"
+ // +kubebuilder:validation:XValidation:rule="self.all(s, s.resourcePrefixes.all(p, p == '/' || p.endsWith('#')))",message="non-default prefixes must end with '#'"
+ Shards []ManagedEtcdShardSpec `json:"shards,omitempty"`
+}
+
+// EtcdShardPriority defines the operational priority of an etcd shard
+// +kubebuilder:validation:Enum=Critical;High;Medium;Low
+type EtcdShardPriority string
+
+const (
+ EtcdShardPriorityCritical EtcdShardPriority = "Critical"
+ EtcdShardPriorityHigh EtcdShardPriority = "High"
+ EtcdShardPriorityMedium EtcdShardPriority = "Medium"
+ EtcdShardPriorityLow EtcdShardPriority = "Low"
+)
+
+// ManagedEtcdShardSpec defines configuration for a single managed etcd shard
+type ManagedEtcdShardSpec struct {
+ // name is the unique identifier for this shard
+ // Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ // Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ // +required
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')",message="name must be DNS-1035 compliant"
+ // +kubebuilder:validation:MaxLength=15
+ Name string `json:"name,omitempty"`
+
+ // resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ // Format: "group/resource#" or "/" for default (catch-all)
+ // Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ // Exactly one shard must have "/" as a prefix
+ // +required
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=50
+ // +kubebuilder:validation:items:MinLength=1
+ // +kubebuilder:validation:items:MaxLength=255
+ // +listType=set
+ ResourcePrefixes []string `json:"resourcePrefixes,omitempty"`
+
+ // priority determines operational importance and default backup frequency
+ // Critical: Default backup every 30 minutes
+ // High: Default backup hourly
+ // Medium/Low: Default backup disabled
+ // +optional
+ // +default="Medium"
+ Priority EtcdShardPriority `json:"priority,omitempty"`
+
+ // storage specifies storage configuration for this shard
+ // If not specified, inherits from ManagedEtcdSpec.Storage
+ // +optional
+ Storage ManagedEtcdStorageSpec `json:"storage,omitzero"`
+
+ // replicas is the number of etcd replicas for this shard
+ // Must be 1 or 3. If not specified, defaults based on cluster's
+ // ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ // +optional
+ // +kubebuilder:validation:Enum=1;3
+ Replicas *int32 `json:"replicas,omitempty"`
+
+ // backupSchedule is the cron schedule for backups (standard cron format)
+ // If empty, uses priority-based default or disables backups
+ // Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ // +optional
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=100
+ BackupSchedule string `json:"backupSchedule,omitempty"`
}
// ManagedEtcdStorageType is a storage type for an etcd cluster.
@@ -1981,20 +2058,71 @@ type PersistentVolumeEtcdStorageSpec struct {
}
// UnmanagedEtcdSpec specifies configuration which enables the control plane to
-// integrate with an eternally managed etcd cluster.
+// integrate with an externally managed etcd cluster.
type UnmanagedEtcdSpec struct {
- // endpoint is the full etcd cluster client endpoint URL. For example:
- //
- // https://etcd-client:2379
- //
- // If the URL uses an HTTPS scheme, the TLS field is required.
- //
- // +kubebuilder:validation:Pattern=`^https://`
+ // endpoint is the full etcd cluster client endpoint URL.
+ // Used only when shards is not specified (legacy single-etcd mode).
+ // When shards are specified, this field is ignored.
+ // +optional
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:XValidation:rule="self.startsWith('https://')",message="endpoint must start with https://"
// +kubebuilder:validation:MaxLength=255
+ Endpoint string `json:"endpoint,omitempty"`
+
+ // tls specifies TLS configuration for HTTPS etcd client endpoints.
+ // Used only when shards is not specified (legacy single-etcd mode).
+ // When shards are specified, this field is ignored.
+ // +optional
+ TLS EtcdTLSConfig `json:"tls,omitzero"`
+
+ // shards configures etcd sharding by Kubernetes resource kind.
+ // When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ // When specified, exactly one shard must have "/" in its resourcePrefixes.
+ // +optional
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=10
+ // +listType=map
+ // +listMapKey=name
+ // +kubebuilder:validation:XValidation:rule="self.exists(s, '/' in s.resourcePrefixes)",message="exactly one shard must have '/' prefix"
+ // +kubebuilder:validation:XValidation:rule="self.all(s, s.resourcePrefixes.all(p, p == '/' || p.endsWith('#')))",message="non-default prefixes must end with '#'"
+ Shards []UnmanagedEtcdShardSpec `json:"shards,omitempty"`
+}
+
+// UnmanagedEtcdShardSpec defines configuration for a single unmanaged etcd shard
+type UnmanagedEtcdShardSpec struct {
+ // name is the unique identifier for this shard
+ // Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ // +required
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')",message="name must be DNS-1035 compliant"
+ // +kubebuilder:validation:MaxLength=15
+ Name string `json:"name,omitempty"`
+
+ // resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ // Format: "group/resource#" or "/" for default (catch-all)
+ // Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ // Exactly one shard must have "/" as a prefix
// +required
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=50
+ // +kubebuilder:validation:items:MinLength=1
+ // +kubebuilder:validation:items:MaxLength=255
+ // +listType=set
+ ResourcePrefixes []string `json:"resourcePrefixes,omitempty"`
+
+ // priority determines operational importance
+ // +optional
+ // +default="Medium"
+ Priority EtcdShardPriority `json:"priority,omitempty"`
+
+ // endpoint is the full etcd shard client endpoint URL
+ // Example: https://etcd-events-client:2379
+ // +required
+ // +kubebuilder:validation:Pattern=`^https://`
+ // +kubebuilder:validation:MaxLength=255
Endpoint string `json:"endpoint"`
- // tls specifies TLS configuration for HTTPS etcd client endpoints.
+ // tls specifies TLS configuration for this shard's HTTPS endpoint
// +required
TLS EtcdTLSConfig `json:"tls"`
}
diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go
index 558be0746f8f..70485e20806d 100644
--- a/api/hypershift/v1beta1/zz_generated.deepcopy.go
+++ b/api/hypershift/v1beta1/zz_generated.deepcopy.go
@@ -1604,7 +1604,7 @@ func (in *EtcdSpec) DeepCopyInto(out *EtcdSpec) {
if in.Unmanaged != nil {
in, out := &in.Unmanaged, &out.Unmanaged
*out = new(UnmanagedEtcdSpec)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
}
@@ -3361,11 +3361,44 @@ func (in *ManagedAzureKeyVault) DeepCopy() *ManagedAzureKeyVault {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ManagedEtcdShardSpec) DeepCopyInto(out *ManagedEtcdShardSpec) {
+ *out = *in
+ if in.ResourcePrefixes != nil {
+ in, out := &in.ResourcePrefixes, &out.ResourcePrefixes
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ in.Storage.DeepCopyInto(&out.Storage)
+ if in.Replicas != nil {
+ in, out := &in.Replicas, &out.Replicas
+ *out = new(int32)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedEtcdShardSpec.
+func (in *ManagedEtcdShardSpec) DeepCopy() *ManagedEtcdShardSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(ManagedEtcdShardSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ManagedEtcdSpec) DeepCopyInto(out *ManagedEtcdSpec) {
*out = *in
in.Storage.DeepCopyInto(&out.Storage)
out.Backup = in.Backup
+ if in.Shards != nil {
+ in, out := &in.Shards, &out.Shards
+ *out = make([]ManagedEtcdShardSpec, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedEtcdSpec.
@@ -4582,10 +4615,38 @@ func (in *Taint) DeepCopy() *Taint {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UnmanagedEtcdShardSpec) DeepCopyInto(out *UnmanagedEtcdShardSpec) {
+ *out = *in
+ if in.ResourcePrefixes != nil {
+ in, out := &in.ResourcePrefixes, &out.ResourcePrefixes
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ out.TLS = in.TLS
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnmanagedEtcdShardSpec.
+func (in *UnmanagedEtcdShardSpec) DeepCopy() *UnmanagedEtcdShardSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(UnmanagedEtcdShardSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UnmanagedEtcdSpec) DeepCopyInto(out *UnmanagedEtcdSpec) {
*out = *in
out.TLS = in.TLS
+ if in.Shards != nil {
+ in, out := &in.Shards, &out.Shards
+ *out = make([]UnmanagedEtcdShardSpec, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnmanagedEtcdSpec.
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
index b5222bb3375b..f25a569eb04e 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
@@ -2476,8 +2476,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2568,17 +2720,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2603,9 +2852,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
index 70641ae031d8..e7d4ae6b1994 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
@@ -2603,8 +2603,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2695,17 +2847,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2730,9 +2979,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
index cc3c053f800a..7847c9cf0ab2 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
@@ -2467,8 +2467,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2559,17 +2711,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2594,9 +2843,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
index de1dc8aa58af..41782b8cebe5 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
@@ -2467,8 +2467,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2559,17 +2711,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2594,9 +2843,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
index 6630d27aeb21..3e49999484fa 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
@@ -2800,8 +2800,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2892,17 +3044,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2927,9 +3176,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
index d4c1bdd7fcf2..4e5df8fcf2a5 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
@@ -2940,8 +2940,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -3032,17 +3184,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -3067,9 +3316,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
index 7822b30358e7..ff54d1fef830 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -2921,8 +2921,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -3013,17 +3165,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -3048,9 +3297,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
index 6c6fdc61639e..8d34879b271e 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
@@ -2467,8 +2467,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2559,17 +2711,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2594,9 +2843,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
index 9f9425548989..ce7dded07a00 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
@@ -2532,8 +2532,160 @@ spec:
- message: azure configuration is required when platform is
Azure, and forbidden otherwise
rule: 'self.platform == ''Azure'' ? has(self.azure) : !has(self.azure)'
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2624,17 +2776,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2659,9 +2908,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
index 45c638c0545a..0ea7e94f660e 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
@@ -2489,8 +2489,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2581,17 +2733,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2616,9 +2865,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
index 1dd0ce8473d5..4e60d1b4c06a 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
@@ -2485,8 +2485,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2577,17 +2729,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2612,9 +2861,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
index 0fbf3783689c..4cdd6e8a25b3 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
@@ -2543,8 +2543,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2635,17 +2787,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2670,9 +2919,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
index a9550f13ec18..567a822c611b 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
@@ -2467,8 +2467,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2559,17 +2711,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2594,9 +2843,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml
index 9a49d67f9eda..7f660240cdb6 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml
@@ -2393,8 +2393,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2485,17 +2637,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2520,9 +2769,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml
index 04be6dd42570..ce4493feae09 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml
@@ -2522,8 +2522,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2614,17 +2766,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2649,9 +2898,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
index 4181eaa306c3..6b43f8aa8f25 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
@@ -2384,8 +2384,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2476,17 +2628,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2511,9 +2760,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
index e6615973f4b7..6392af227cf3 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
@@ -2384,8 +2384,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2476,17 +2628,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2511,9 +2760,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml
index 5fbcb4772f82..2811451e09eb 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml
@@ -2717,8 +2717,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2809,17 +2961,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2844,9 +3093,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
index 84fef65195b8..16f90571bb80 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
@@ -2857,8 +2857,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2949,17 +3101,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2984,9 +3233,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
index 5a85ccca1e67..fa546809e3bf 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -2838,8 +2838,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2930,17 +3082,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2965,9 +3214,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml
index c859a25b2c1d..338a33cbc7a6 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml
@@ -2384,8 +2384,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2476,17 +2628,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2511,9 +2760,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml
index 1d9fa278fff6..3f9e6f8d19f9 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml
@@ -2449,8 +2449,160 @@ spec:
- message: azure configuration is required when platform is
Azure, and forbidden otherwise
rule: 'self.platform == ''Azure'' ? has(self.azure) : !has(self.azure)'
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2541,17 +2693,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2576,9 +2825,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
index d1aea3cc45ae..22e07dbd306b 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
@@ -2406,8 +2406,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2498,17 +2650,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2533,9 +2782,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml
index 4594af147b5a..7f4f564db2c2 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml
@@ -2402,8 +2402,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2494,17 +2646,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2529,9 +2778,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml
index d252df9539c9..8eeeee99aaa6 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml
@@ -2460,8 +2460,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2552,17 +2704,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2587,9 +2836,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml
index c5516bc62f51..89ef01172f1e 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml
@@ -2384,8 +2384,160 @@ spec:
description: managed specifies the behavior of an etcd cluster
managed by HyperShift.
properties:
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, a default single shard accepting all prefixes is used.
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: ManagedEtcdShardSpec defines configuration
+ for a single managed etcd shard
+ properties:
+ backupSchedule:
+ description: |-
+ backupSchedule is the cron schedule for backups (standard cron format)
+ If empty, uses priority-based default or disables backups
+ Examples: "*/30 * * * *" (every 30 min), "0 * * * *" (hourly)
+ maxLength: 100
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ Used for resource naming: etcd-{name}, etcd-{name}-client, etc.
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: |-
+ priority determines operational importance and default backup frequency
+ Critical: Default backup every 30 minutes
+ High: Default backup hourly
+ Medium/Low: Default backup disabled
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ replicas:
+ description: |-
+ replicas is the number of etcd replicas for this shard
+ Must be 1 or 3. If not specified, defaults based on cluster's
+ ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable)
+ enum:
+ - 1
+ - 3
+ format: int32
+ type: integer
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ storage:
+ description: |-
+ storage specifies storage configuration for this shard
+ If not specified, inherits from ManagedEtcdSpec.Storage
+ properties:
+ persistentVolume:
+ description: |-
+ persistentVolume is the configuration for PersistentVolume etcd storage.
+ With this implementation, a PersistentVolume will be allocated for every
+ etcd member (either 1 or 3 depending on the HostedCluster control plane
+ availability configuration).
+ properties:
+ size:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Gi
+ description: |-
+ size is the minimum size of the data volume for each etcd member.
+ Default is 8Gi.
+ This field is immutable
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ x-kubernetes-validations:
+ - message: Etcd PV storage size is immutable
+ rule: self == oldSelf
+ storageClassName:
+ description: |-
+ storageClassName is the StorageClass of the data volume for each etcd member.
+ See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: storageClassName is immutable
+ rule: self == oldSelf
+ type: object
+ restoreSnapshotURL:
+ description: |-
+ restoreSnapshotURL allows an optional URL to be provided where
+ an etcd snapshot can be downloaded, for example a pre-signed URL
+ referencing a storage service.
+ This snapshot will be restored on initial startup, only when the etcd PV
+ is empty.
+ items:
+ maxLength: 1024
+ type: string
+ maxItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: RestoreSnapshotURL shouldn't contain
+ more than 1 entry
+ rule: self.size() <= 1
+ - message: restoreSnapshotURL is immutable
+ rule: self == oldSelf
+ - message: restoreSnapshotURL must be a valid URL
+ with scheme https or s3
+ rule: self.size() == 0 || self[0].matches('^(https|s3)://.*')
+ type:
+ description: |-
+ type is the kind of persistent storage implementation to use for etcd.
+ Only PersistentVolume is supported at the moment.
+ enum:
+ - PersistentVolume
+ type: string
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - resourcePrefixes
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
storage:
- description: storage specifies how etcd data is persisted.
+ description: |-
+ storage specifies how etcd data is persisted.
+ When shards are specified, this serves as the default for all shards
+ unless overridden per-shard.
properties:
persistentVolume:
description: |-
@@ -2476,17 +2628,114 @@ spec:
properties:
endpoint:
description: |-
- endpoint is the full etcd cluster client endpoint URL. For example:
-
- https://etcd-client:2379
-
- If the URL uses an HTTPS scheme, the TLS field is required.
+ endpoint is the full etcd cluster client endpoint URL.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
maxLength: 255
- pattern: ^https://
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: endpoint must start with https://
+ rule: self.startsWith('https://')
+ shards:
+ description: |-
+ shards configures etcd sharding by Kubernetes resource kind.
+ When not specified, uses endpoint and tls fields (legacy single-etcd mode).
+ When specified, exactly one shard must have "/" in its resourcePrefixes.
+ items:
+ description: UnmanagedEtcdShardSpec defines configuration
+ for a single unmanaged etcd shard
+ properties:
+ endpoint:
+ description: |-
+ endpoint is the full etcd shard client endpoint URL
+ Example: https://etcd-events-client:2379
+ maxLength: 255
+ pattern: ^https://
+ type: string
+ name:
+ description: |-
+ name is the unique identifier for this shard
+ Must be DNS-1035 compliant (lowercase alphanumeric + hyphens)
+ maxLength: 15
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: name must be DNS-1035 compliant
+ rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')
+ priority:
+ default: Medium
+ description: priority determines operational importance
+ enum:
+ - Critical
+ - High
+ - Medium
+ - Low
+ type: string
+ resourcePrefixes:
+ description: |-
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard
+ Format: "group/resource#" or "/" for default (catch-all)
+ Examples: "/events#", "/coordination.k8s.io/leases#", "/"
+ Exactly one shard must have "/" as a prefix
+ items:
+ maxLength: 255
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ tls:
+ description: tls specifies TLS configuration for this
+ shard's HTTPS endpoint
+ properties:
+ clientSecret:
+ description: |-
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It
+ may have the following key/value pairs:
+
+ etcd-client-ca.crt: Certificate Authority value
+ etcd-client.crt: Client certificate value
+ etcd-client.key: Client certificate key value
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - clientSecret
+ type: object
+ required:
+ - endpoint
+ - name
+ - resourcePrefixes
+ - tls
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: exactly one shard must have '/' prefix
+ rule: self.exists(s, '/' in s.resourcePrefixes)
+ - message: non-default prefixes must end with '#'
+ rule: self.all(s, s.resourcePrefixes.all(p, p == '/' ||
+ p.endsWith('#')))
tls:
- description: tls specifies TLS configuration for HTTPS etcd
- client endpoints.
+ description: |-
+ tls specifies TLS configuration for HTTPS etcd client endpoints.
+ Used only when shards is not specified (legacy single-etcd mode).
+ When shards are specified, this field is ignored.
properties:
clientSecret:
description: |-
@@ -2511,9 +2760,6 @@ spec:
required:
- clientSecret
type: object
- required:
- - endpoint
- - tls
type: object
required:
- managementType
diff --git a/client/applyconfiguration/hypershift/v1beta1/managedetcdshardspec.go b/client/applyconfiguration/hypershift/v1beta1/managedetcdshardspec.go
new file mode 100644
index 000000000000..1c72c017f649
--- /dev/null
+++ b/client/applyconfiguration/hypershift/v1beta1/managedetcdshardspec.go
@@ -0,0 +1,89 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+ hypershiftv1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+)
+
+// ManagedEtcdShardSpecApplyConfiguration represents a declarative configuration of the ManagedEtcdShardSpec type for use
+// with apply.
+type ManagedEtcdShardSpecApplyConfiguration struct {
+ Name *string `json:"name,omitempty"`
+ ResourcePrefixes []string `json:"resourcePrefixes,omitempty"`
+ Priority *hypershiftv1beta1.EtcdShardPriority `json:"priority,omitempty"`
+ Storage *ManagedEtcdStorageSpecApplyConfiguration `json:"storage,omitempty"`
+ Replicas *int32 `json:"replicas,omitempty"`
+ BackupSchedule *string `json:"backupSchedule,omitempty"`
+}
+
+// ManagedEtcdShardSpecApplyConfiguration constructs a declarative configuration of the ManagedEtcdShardSpec type for use with
+// apply.
+func ManagedEtcdShardSpec() *ManagedEtcdShardSpecApplyConfiguration {
+ return &ManagedEtcdShardSpecApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithName(value string) *ManagedEtcdShardSpecApplyConfiguration {
+ b.Name = &value
+ return b
+}
+
+// WithResourcePrefixes adds the given value to the ResourcePrefixes field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ResourcePrefixes field.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithResourcePrefixes(values ...string) *ManagedEtcdShardSpecApplyConfiguration {
+ for i := range values {
+ b.ResourcePrefixes = append(b.ResourcePrefixes, values[i])
+ }
+ return b
+}
+
+// WithPriority sets the Priority field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Priority field is set to the value of the last call.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithPriority(value hypershiftv1beta1.EtcdShardPriority) *ManagedEtcdShardSpecApplyConfiguration {
+ b.Priority = &value
+ return b
+}
+
+// WithStorage sets the Storage field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Storage field is set to the value of the last call.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithStorage(value *ManagedEtcdStorageSpecApplyConfiguration) *ManagedEtcdShardSpecApplyConfiguration {
+ b.Storage = value
+ return b
+}
+
+// WithReplicas sets the Replicas field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Replicas field is set to the value of the last call.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithReplicas(value int32) *ManagedEtcdShardSpecApplyConfiguration {
+ b.Replicas = &value
+ return b
+}
+
+// WithBackupSchedule sets the BackupSchedule field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BackupSchedule field is set to the value of the last call.
+func (b *ManagedEtcdShardSpecApplyConfiguration) WithBackupSchedule(value string) *ManagedEtcdShardSpecApplyConfiguration {
+ b.BackupSchedule = &value
+ return b
+}
diff --git a/client/applyconfiguration/hypershift/v1beta1/managedetcdspec.go b/client/applyconfiguration/hypershift/v1beta1/managedetcdspec.go
index eb2eacd470d8..9c8d1cf2676b 100644
--- a/client/applyconfiguration/hypershift/v1beta1/managedetcdspec.go
+++ b/client/applyconfiguration/hypershift/v1beta1/managedetcdspec.go
@@ -22,6 +22,7 @@ package v1beta1
type ManagedEtcdSpecApplyConfiguration struct {
Storage *ManagedEtcdStorageSpecApplyConfiguration `json:"storage,omitempty"`
Backup *HCPEtcdBackupConfigApplyConfiguration `json:"backup,omitempty"`
+ Shards []ManagedEtcdShardSpecApplyConfiguration `json:"shards,omitempty"`
}
// ManagedEtcdSpecApplyConfiguration constructs a declarative configuration of the ManagedEtcdSpec type for use with
@@ -45,3 +46,16 @@ func (b *ManagedEtcdSpecApplyConfiguration) WithBackup(value *HCPEtcdBackupConfi
b.Backup = value
return b
}
+
+// WithShards adds the given value to the Shards field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Shards field.
+func (b *ManagedEtcdSpecApplyConfiguration) WithShards(values ...*ManagedEtcdShardSpecApplyConfiguration) *ManagedEtcdSpecApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithShards")
+ }
+ b.Shards = append(b.Shards, *values[i])
+ }
+ return b
+}
diff --git a/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdshardspec.go b/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdshardspec.go
new file mode 100644
index 000000000000..a79a99f47118
--- /dev/null
+++ b/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdshardspec.go
@@ -0,0 +1,80 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+ hypershiftv1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+)
+
+// UnmanagedEtcdShardSpecApplyConfiguration represents a declarative configuration of the UnmanagedEtcdShardSpec type for use
+// with apply.
+type UnmanagedEtcdShardSpecApplyConfiguration struct {
+ Name *string `json:"name,omitempty"`
+ ResourcePrefixes []string `json:"resourcePrefixes,omitempty"`
+ Priority *hypershiftv1beta1.EtcdShardPriority `json:"priority,omitempty"`
+ Endpoint *string `json:"endpoint,omitempty"`
+ TLS *EtcdTLSConfigApplyConfiguration `json:"tls,omitempty"`
+}
+
+// UnmanagedEtcdShardSpecApplyConfiguration constructs a declarative configuration of the UnmanagedEtcdShardSpec type for use with
+// apply.
+func UnmanagedEtcdShardSpec() *UnmanagedEtcdShardSpecApplyConfiguration {
+ return &UnmanagedEtcdShardSpecApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *UnmanagedEtcdShardSpecApplyConfiguration) WithName(value string) *UnmanagedEtcdShardSpecApplyConfiguration {
+ b.Name = &value
+ return b
+}
+
+// WithResourcePrefixes adds the given value to the ResourcePrefixes field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ResourcePrefixes field.
+func (b *UnmanagedEtcdShardSpecApplyConfiguration) WithResourcePrefixes(values ...string) *UnmanagedEtcdShardSpecApplyConfiguration {
+ for i := range values {
+ b.ResourcePrefixes = append(b.ResourcePrefixes, values[i])
+ }
+ return b
+}
+
+// WithPriority sets the Priority field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Priority field is set to the value of the last call.
+func (b *UnmanagedEtcdShardSpecApplyConfiguration) WithPriority(value hypershiftv1beta1.EtcdShardPriority) *UnmanagedEtcdShardSpecApplyConfiguration {
+ b.Priority = &value
+ return b
+}
+
+// WithEndpoint sets the Endpoint field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Endpoint field is set to the value of the last call.
+func (b *UnmanagedEtcdShardSpecApplyConfiguration) WithEndpoint(value string) *UnmanagedEtcdShardSpecApplyConfiguration {
+ b.Endpoint = &value
+ return b
+}
+
+// WithTLS sets the TLS field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TLS field is set to the value of the last call.
+func (b *UnmanagedEtcdShardSpecApplyConfiguration) WithTLS(value *EtcdTLSConfigApplyConfiguration) *UnmanagedEtcdShardSpecApplyConfiguration {
+ b.TLS = value
+ return b
+}
diff --git a/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdspec.go b/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdspec.go
index d01b2a047d37..3b7686ed20aa 100644
--- a/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdspec.go
+++ b/client/applyconfiguration/hypershift/v1beta1/unmanagedetcdspec.go
@@ -20,8 +20,9 @@ package v1beta1
// UnmanagedEtcdSpecApplyConfiguration represents a declarative configuration of the UnmanagedEtcdSpec type for use
// with apply.
type UnmanagedEtcdSpecApplyConfiguration struct {
- Endpoint *string `json:"endpoint,omitempty"`
- TLS *EtcdTLSConfigApplyConfiguration `json:"tls,omitempty"`
+ Endpoint *string `json:"endpoint,omitempty"`
+ TLS *EtcdTLSConfigApplyConfiguration `json:"tls,omitempty"`
+ Shards []UnmanagedEtcdShardSpecApplyConfiguration `json:"shards,omitempty"`
}
// UnmanagedEtcdSpecApplyConfiguration constructs a declarative configuration of the UnmanagedEtcdSpec type for use with
@@ -45,3 +46,16 @@ func (b *UnmanagedEtcdSpecApplyConfiguration) WithTLS(value *EtcdTLSConfigApplyC
b.TLS = value
return b
}
+
+// WithShards adds the given value to the Shards field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Shards field.
+func (b *UnmanagedEtcdSpecApplyConfiguration) WithShards(values ...*UnmanagedEtcdShardSpecApplyConfiguration) *UnmanagedEtcdSpecApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithShards")
+ }
+ b.Shards = append(b.Shards, *values[i])
+ }
+ return b
+}
diff --git a/client/applyconfiguration/utils.go b/client/applyconfiguration/utils.go
index b89bca7ed49c..1007ff93103a 100644
--- a/client/applyconfiguration/utils.go
+++ b/client/applyconfiguration/utils.go
@@ -305,6 +305,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &hypershiftv1beta1.MachineNetworkEntryApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("ManagedAzureKeyVault"):
return &hypershiftv1beta1.ManagedAzureKeyVaultApplyConfiguration{}
+ case v1beta1.SchemeGroupVersion.WithKind("ManagedEtcdShardSpec"):
+ return &hypershiftv1beta1.ManagedEtcdShardSpecApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("ManagedEtcdSpec"):
return &hypershiftv1beta1.ManagedEtcdSpecApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("ManagedEtcdStorageSpec"):
@@ -403,6 +405,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &hypershiftv1beta1.SubnetSpecApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("Taint"):
return &hypershiftv1beta1.TaintApplyConfiguration{}
+ case v1beta1.SchemeGroupVersion.WithKind("UnmanagedEtcdShardSpec"):
+ return &hypershiftv1beta1.UnmanagedEtcdShardSpecApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("UnmanagedEtcdSpec"):
return &hypershiftv1beta1.UnmanagedEtcdSpecApplyConfiguration{}
case v1beta1.SchemeGroupVersion.WithKind("UserManagedDiagnostics"):
diff --git a/cmd/cluster/core/create.go b/cmd/cluster/core/create.go
index 9dd96f94c1d3..a9eacb25423a 100644
--- a/cmd/cluster/core/create.go
+++ b/cmd/cluster/core/create.go
@@ -91,6 +91,8 @@ func bindCoreOptions(opts *RawCreateOptions, flags *pflag.FlagSet) {
flags.BoolVar(&opts.GenerateSSH, "generate-ssh", opts.GenerateSSH, "If true, generate SSH keys")
flags.StringVar(&opts.EtcdStorageClass, "etcd-storage-class", opts.EtcdStorageClass, "The persistent volume storage class for etcd data volumes")
flags.StringVar(&opts.EtcdStorageSize, "etcd-storage-size", opts.EtcdStorageSize, "The storage size for etcd data volume. Example: 8Gi")
+ flags.StringVar(&opts.EtcdShardingConfig, "etcd-sharding-config", opts.EtcdShardingConfig, "Path to YAML/JSON file containing etcd sharding configuration. Mutually exclusive with --etcd-shard.")
+ flags.StringArrayVar(&opts.EtcdShards, "etcd-shard", opts.EtcdShards, "Define an etcd shard inline with comma-separated key=value pairs. Keys: name (required), prefixes (pipe-separated, required), priority (Critical|High|Medium|Low), replicas (1|3), storage-size (e.g. 8Gi), storage-class, backup-schedule (cron format). Can be specified multiple times. Mutually exclusive with --etcd-sharding-config.")
flags.StringVar(&opts.InfraID, "infra-id", opts.InfraID, "Infrastructure ID to use for hosted cluster resources.")
flags.StringArrayVar(&opts.ServiceCIDR, "service-cidr", opts.ServiceCIDR, "The CIDR of the service network. Can be specified multiple times.")
flags.StringArrayVar(&opts.ClusterCIDR, "cluster-cidr", opts.ClusterCIDR, "The CIDR of the cluster network. Can be specified multiple times.")
@@ -135,6 +137,8 @@ type RawCreateOptions struct {
ControlPlaneOperatorImage string
EtcdStorageClass string
EtcdStorageSize string
+ EtcdShardingConfig string
+ EtcdShards []string
FIPS bool
GenerateSSH bool
ImageContentSources string
@@ -378,6 +382,18 @@ func prototypeResources(ctx context.Context, opts *CreateOptions) (*resources, e
prototype.Cluster.Spec.Etcd.Managed.Storage.PersistentVolume.Size = &etcdStorageSize
}
+ // Build and validate ETCD sharding configuration
+ shards, err := buildEtcdShards(opts)
+ if err != nil {
+ return nil, fmt.Errorf("failed to build etcd shard configuration: %w", err)
+ }
+ if len(shards) > 0 {
+ if err := validateEtcdSharding(shards); err != nil {
+ return nil, fmt.Errorf("invalid etcd sharding configuration: %w", err)
+ }
+ prototype.Cluster.Spec.Etcd.Managed.Shards = shards
+ }
+
sshKey, sshPrivateKey := opts.PublicKey, opts.PrivateKey
// overrides secret if SSHKeyFile is set
if len(opts.SSHKeyFile) > 0 {
@@ -807,6 +823,22 @@ func (opts *RawCreateOptions) Validate(ctx context.Context) (*ValidatedCreateOpt
return nil, fmt.Errorf("allocateNodeCIDRs is only allowed when networkType is 'Other' (got '%s')", opts.NetworkType)
}
+ if opts.EtcdShardingConfig != "" && len(opts.EtcdShards) > 0 {
+ return nil, fmt.Errorf("--etcd-sharding-config and --etcd-shard are mutually exclusive")
+ }
+
+ if opts.EtcdShardingConfig != "" {
+ if _, err := os.Stat(opts.EtcdShardingConfig); err != nil {
+ return nil, fmt.Errorf("etcd sharding config file not found: %w", err)
+ }
+ }
+
+ if len(opts.EtcdShards) > 0 {
+ if _, err := parseInlineShards(opts.EtcdShards); err != nil {
+ return nil, fmt.Errorf("invalid --etcd-shard configuration: %w", err)
+ }
+ }
+
return &ValidatedCreateOptions{
validatedCreateOptions: &validatedCreateOptions{
RawCreateOptions: opts,
@@ -1200,3 +1232,269 @@ func validateVersion(ctx context.Context, versionCLI string, client crclient.Cli
}
return nil
}
+
+// buildEtcdShards orchestrates the building of etcd shard configuration from either
+// file-based or inline configuration options.
+func buildEtcdShards(opts *CreateOptions) ([]hyperv1.ManagedEtcdShardSpec, error) {
+ var shards []hyperv1.ManagedEtcdShardSpec
+ var err error
+
+ if opts.EtcdShardingConfig != "" {
+ shards, err = parseShardingConfigFile(opts.EtcdShardingConfig)
+ if err != nil {
+ return nil, err
+ }
+ } else if len(opts.EtcdShards) > 0 {
+ shards, err = parseInlineShards(opts.EtcdShards)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ if len(shards) > 0 {
+ applyGlobalDefaults(shards, opts)
+ }
+
+ return shards, nil
+}
+
+// parseShardingConfigFile reads and parses a YAML or JSON file containing etcd sharding configuration.
+func parseShardingConfigFile(path string) ([]hyperv1.ManagedEtcdShardSpec, error) {
+ data, err := os.ReadFile(path)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read etcd sharding config file: %w", err)
+ }
+
+ var config struct {
+ Shards []hyperv1.ManagedEtcdShardSpec `json:"shards"`
+ }
+
+ if err := yaml.Unmarshal(data, &config); err != nil {
+ return nil, fmt.Errorf("failed to parse etcd sharding config file: %w", err)
+ }
+
+ if len(config.Shards) == 0 {
+ return nil, fmt.Errorf("etcd sharding config file must contain at least one shard")
+ }
+
+ return config.Shards, nil
+}
+
+// parseInlineShards parses multiple inline shard definitions from --etcd-shard flags.
+func parseInlineShards(shardDefs []string) ([]hyperv1.ManagedEtcdShardSpec, error) {
+ shards := make([]hyperv1.ManagedEtcdShardSpec, 0, len(shardDefs))
+
+ for i, def := range shardDefs {
+ shard, err := parseInlineShard(def)
+ if err != nil {
+ return nil, fmt.Errorf("invalid shard definition at index %d: %w", i, err)
+ }
+ shards = append(shards, shard)
+ }
+
+ return shards, nil
+}
+
+// parseInlineShard parses a single inline shard definition.
+// Format: name=
+(Appears on: +ManagedEtcdShardSpec, +UnmanagedEtcdShardSpec) +
++
EtcdShardPriority defines the operational priority of an etcd shard
+ +| Value | +Description | +
|---|---|
"Critical" |
++ |
"High" |
++ |
"Low" |
++ |
"Medium" |
++ |
(Appears on: @@ -37756,6 +38216,7 @@ integrate with an externally managed etcd cluster.
###EtcdTLSConfig { #hypershift.openshift.io/v1beta1.EtcdTLSConfig }(Appears on: +UnmanagedEtcdShardSpec, UnmanagedEtcdSpec)
@@ -43139,6 +43600,111 @@ string +###ManagedEtcdShardSpec { #hypershift.openshift.io/v1beta1.ManagedEtcdShardSpec } +
+(Appears on: +ManagedEtcdSpec) +
++
ManagedEtcdShardSpec defines configuration for a single managed etcd shard
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the unique identifier for this shard +Must be DNS-1035 compliant (lowercase alphanumeric + hyphens) +Used for resource naming: etcd-{name}, etcd-{name}-client, etc. + |
+
+resourcePrefixes
+
+[]string
+
+ |
+
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard +Format: “group/resource#” or “/” for default (catch-all) +Examples: “/events#”, “/coordination.k8s.io/leases#”, “/” +Exactly one shard must have “/” as a prefix + |
+
+priority
+
+
+EtcdShardPriority
+
+
+ |
+
+(Optional)
+ priority determines operational importance and default backup frequency +Critical: Default backup every 30 minutes +High: Default backup hourly +Medium/Low: Default backup disabled + |
+
+storage,omitzero
+
+
+ManagedEtcdStorageSpec
+
+
+ |
+
+(Optional)
+ storage specifies storage configuration for this shard +If not specified, inherits from ManagedEtcdSpec.Storage + |
+
+replicas
+
+int32
+
+ |
+
+(Optional)
+ replicas is the number of etcd replicas for this shard +Must be 1 or 3. If not specified, defaults based on cluster’s +ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable) + |
+
+backupSchedule
+
+string
+
+ |
+
+(Optional)
+ backupSchedule is the cron schedule for backups (standard cron format) +If empty, uses priority-based default or disables backups +Examples: “*/30 * * * *” (every 30 min), “0 * * * *” (hourly) + |
+
(Appears on: @@ -43166,7 +43732,9 @@ ManagedEtcdStorageSpec
storage specifies how etcd data is persisted.
+storage specifies how etcd data is persisted. +When shards are specified, this serves as the default for all shards +unless overridden per-shard.
shards
+
+
+[]ManagedEtcdShardSpec
+
+
+shards configures etcd sharding by Kubernetes resource kind. +When not specified, a default single shard accepting all prefixes is used. +When specified, exactly one shard must have “/” in its resourcePrefixes.
+(Appears on: +ManagedEtcdShardSpec, ManagedEtcdSpec)
@@ -47218,6 +47803,89 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+###UnmanagedEtcdShardSpec { #hypershift.openshift.io/v1beta1.UnmanagedEtcdShardSpec } ++(Appears on: +UnmanagedEtcdSpec) +
++
UnmanagedEtcdShardSpec defines configuration for a single unmanaged etcd shard
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the unique identifier for this shard +Must be DNS-1035 compliant (lowercase alphanumeric + hyphens) + |
+
+resourcePrefixes
+
+[]string
+
+ |
+
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard +Format: “group/resource#” or “/” for default (catch-all) +Examples: “/events#”, “/coordination.k8s.io/leases#”, “/” +Exactly one shard must have “/” as a prefix + |
+
+priority
+
+
+EtcdShardPriority
+
+
+ |
+
+(Optional)
+ priority determines operational importance + |
+
+endpoint
+
+string
+
+ |
+
+ endpoint is the full etcd shard client endpoint URL +Example: https://etcd-events-client:2379 + |
+
+tls
+
+
+EtcdTLSConfig
+
+
+ |
+
+ tls specifies TLS configuration for this shard’s HTTPS endpoint + |
+
(Appears on: @@ -47225,7 +47893,7 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
UnmanagedEtcdSpec specifies configuration which enables the control plane to -integrate with an eternally managed etcd cluster.
+integrate with an externally managed etcd cluster.|
- endpoint is the full etcd cluster client endpoint URL. For example: -
-If the URL uses an HTTPS scheme, the TLS field is required. +(Optional) +endpoint is the full etcd cluster client endpoint URL. +Used only when shards is not specified (legacy single-etcd mode). +When shards are specified, this field is ignored. |
|
-tls
+tls,omitzero
EtcdTLSConfig
@@ -47259,7 +47927,26 @@ EtcdTLSConfig
|
- tls specifies TLS configuration for HTTPS etcd client endpoints. +(Optional) +tls specifies TLS configuration for HTTPS etcd client endpoints. +Used only when shards is not specified (legacy single-etcd mode). +When shards are specified, this field is ignored. + |
+
+shards
+
+
+[]UnmanagedEtcdShardSpec
+
+
+ |
+
+(Optional)
+ shards configures etcd sharding by Kubernetes resource kind. +When not specified, uses endpoint and tls fields (legacy single-etcd mode). +When specified, exactly one shard must have “/” in its resourcePrefixes. |
+(Appears on: +ManagedEtcdShardSpec, +UnmanagedEtcdShardSpec) +
++
EtcdShardPriority defines the operational priority of an etcd shard
+ +| Value | +Description | +
|---|---|
"Critical" |
++ |
"High" |
++ |
"Low" |
++ |
"Medium" |
++ |
(Appears on: @@ -6798,6 +6824,7 @@ integrate with an externally managed etcd cluster.
###EtcdTLSConfig { #hypershift.openshift.io/v1beta1.EtcdTLSConfig }(Appears on: +UnmanagedEtcdShardSpec, UnmanagedEtcdSpec)
@@ -12181,6 +12208,111 @@ string +###ManagedEtcdShardSpec { #hypershift.openshift.io/v1beta1.ManagedEtcdShardSpec } +
+(Appears on: +ManagedEtcdSpec) +
++
ManagedEtcdShardSpec defines configuration for a single managed etcd shard
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the unique identifier for this shard +Must be DNS-1035 compliant (lowercase alphanumeric + hyphens) +Used for resource naming: etcd-{name}, etcd-{name}-client, etc. + |
+
+resourcePrefixes
+
+[]string
+
+ |
+
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard +Format: “group/resource#” or “/” for default (catch-all) +Examples: “/events#”, “/coordination.k8s.io/leases#”, “/” +Exactly one shard must have “/” as a prefix + |
+
+priority
+
+
+EtcdShardPriority
+
+
+ |
+
+(Optional)
+ priority determines operational importance and default backup frequency +Critical: Default backup every 30 minutes +High: Default backup hourly +Medium/Low: Default backup disabled + |
+
+storage,omitzero
+
+
+ManagedEtcdStorageSpec
+
+
+ |
+
+(Optional)
+ storage specifies storage configuration for this shard +If not specified, inherits from ManagedEtcdSpec.Storage + |
+
+replicas
+
+int32
+
+ |
+
+(Optional)
+ replicas is the number of etcd replicas for this shard +Must be 1 or 3. If not specified, defaults based on cluster’s +ControllerAvailabilityPolicy (1 for SingleReplica, 3 for HighlyAvailable) + |
+
+backupSchedule
+
+string
+
+ |
+
+(Optional)
+ backupSchedule is the cron schedule for backups (standard cron format) +If empty, uses priority-based default or disables backups +Examples: “*/30 * * * *” (every 30 min), “0 * * * *” (hourly) + |
+
(Appears on: @@ -12208,7 +12340,9 @@ ManagedEtcdStorageSpec
storage specifies how etcd data is persisted.
+storage specifies how etcd data is persisted. +When shards are specified, this serves as the default for all shards +unless overridden per-shard.
shards
+
+
+[]ManagedEtcdShardSpec
+
+
+shards configures etcd sharding by Kubernetes resource kind. +When not specified, a default single shard accepting all prefixes is used. +When specified, exactly one shard must have “/” in its resourcePrefixes.
+(Appears on: +ManagedEtcdShardSpec, ManagedEtcdSpec)
@@ -16260,6 +16411,89 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+###UnmanagedEtcdShardSpec { #hypershift.openshift.io/v1beta1.UnmanagedEtcdShardSpec } ++(Appears on: +UnmanagedEtcdSpec) +
++
UnmanagedEtcdShardSpec defines configuration for a single unmanaged etcd shard
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the unique identifier for this shard +Must be DNS-1035 compliant (lowercase alphanumeric + hyphens) + |
+
+resourcePrefixes
+
+[]string
+
+ |
+
+ resourcePrefixes specifies which Kubernetes resources are stored in this shard +Format: “group/resource#” or “/” for default (catch-all) +Examples: “/events#”, “/coordination.k8s.io/leases#”, “/” +Exactly one shard must have “/” as a prefix + |
+
+priority
+
+
+EtcdShardPriority
+
+
+ |
+
+(Optional)
+ priority determines operational importance + |
+
+endpoint
+
+string
+
+ |
+
+ endpoint is the full etcd shard client endpoint URL +Example: https://etcd-events-client:2379 + |
+
+tls
+
+
+EtcdTLSConfig
+
+
+ |
+
+ tls specifies TLS configuration for this shard’s HTTPS endpoint + |
+
(Appears on: @@ -16267,7 +16501,7 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
UnmanagedEtcdSpec specifies configuration which enables the control plane to -integrate with an eternally managed etcd cluster.
+integrate with an externally managed etcd cluster.|
- endpoint is the full etcd cluster client endpoint URL. For example: -
-If the URL uses an HTTPS scheme, the TLS field is required. +(Optional) +endpoint is the full etcd cluster client endpoint URL. +Used only when shards is not specified (legacy single-etcd mode). +When shards are specified, this field is ignored. |
|
-tls
+tls,omitzero
EtcdTLSConfig
@@ -16301,7 +16535,26 @@ EtcdTLSConfig
|
- tls specifies TLS configuration for HTTPS etcd client endpoints. +(Optional) +tls specifies TLS configuration for HTTPS etcd client endpoints. +Used only when shards is not specified (legacy single-etcd mode). +When shards are specified, this field is ignored. + |
+
+shards
+
+
+[]UnmanagedEtcdShardSpec
+
+
+ |
+
+(Optional)
+ shards configures etcd sharding by Kubernetes resource kind. +When not specified, uses endpoint and tls fields (legacy single-etcd mode). +When specified, exactly one shard must have “/” in its resourcePrefixes. |