diff --git a/.travis.yml b/.travis.yml index 494d91ee489..d67d8be646b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: go go: - - "1.11" + - "1.12" install: - wget https://github.com/google/protobuf/releases/download/v3.0.2/protoc-3.0.2-linux-x86_64.zip diff --git a/Makefile b/Makefile index ba83ccb1433..44fd3a6e09b 100644 --- a/Makefile +++ b/Makefile @@ -1,33 +1,50 @@ all: build .PHONY: all -RUNTIME ?= podman -RUNTIME_IMAGE_NAME ?= openshift-api-generator +# Include the library makefile +include $(addprefix ./hack/alpha-build-machinery/make/, \ + golang.mk \ + targets/openshift/deps.mk \ + targets/openshift/crd-schema-gen.mk \ +) -build: - go build github.com/openshift/api/... -.PHONY: build +GO_PACKAGES :=$(addsuffix ...,$(addprefix ./,$(filter-out vendor/,$(filter-out hack/,$(wildcard */))))) +GO_BUILD_PACKAGES :=$(GO_PACKAGES) +GO_BUILD_PACKAGES_EXPANDED :=$(GO_BUILD_PACKAGES) +# LDFLAGS are not needed for dummy builds (saving time on calling git commands) +GO_LD_FLAGS:= -test: - go test github.com/openshift/api/... -.PHONY: test +# Set crd-schema-gen variables +CONTROLLER_GEN_VERSION :=v0.2.1 -verify: +# $1 - target name +# $2 - apis +# $3 - manifests +# $4 - output +$(call add-crd-gen,authorization,./authorization/v1,./authorization/v1,./authorization/v1) +$(call add-crd-gen,config,./config/v1,./config/v1,./config/v1) +$(call add-crd-gen,console,./console/v1,./console/v1,./console/v1) +$(call add-crd-gen,operator,./operator/v1alpha1,./operator/v1alpha1,./operator/v1alpha1) +$(call add-crd-gen,quota,./quota/v1,./quota/v1,./quota/v1) +$(call add-crd-gen,security,./security/v1,./security/v1,./security/v1) + +RUNTIME ?= podman +RUNTIME_IMAGE_NAME ?= openshift-api-generator + +verify-scripts: bash -x hack/verify-deepcopy.sh bash -x hack/verify-protobuf.sh bash -x hack/verify-swagger-docs.sh -.PHONY: verify - -update-deps: - hack/update-deps.sh -.PHONY: update-deps +.PHONY: verify-scripts +verify: verify-scripts -generate-with-container: Dockerfile.build - $(RUNTIME) build -t $(RUNTIME_IMAGE_NAME) -f Dockerfile.build . - $(RUNTIME) run -ti --rm -v $(PWD):/go/src/github.com/openshift/api:z -w /go/src/github.com/openshift/api $(RUNTIME_IMAGE_NAME) make generate - -generate: +update-scripts: hack/update-deepcopy.sh hack/update-protobuf.sh hack/update-swagger-docs.sh -.PHONY: generate +.PHONY: update-scripts +update: update-scripts + +generate-with-container: Dockerfile.build + $(RUNTIME) build -t $(RUNTIME_IMAGE_NAME) -f Dockerfile.build . + $(RUNTIME) run -ti --rm -v $(PWD):/go/src/github.com/openshift/api:z -w /go/src/github.com/openshift/api $(RUNTIME_IMAGE_NAME) make update-scripts diff --git a/authorization/v1/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml b/authorization/v1/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml new file mode 100644 index 00000000000..5ec81b3bd49 --- /dev/null +++ b/authorization/v1/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml @@ -0,0 +1,205 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: rolebindingrestrictions.authorization.openshift.io +spec: + group: authorization.openshift.io + names: + kind: RoleBindingRestriction + listKind: RoleBindingRestrictionList + plural: rolebindingrestrictions + singular: rolebindingrestriction + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: RoleBindingRestriction is an object that can be matched against + a subject (user, group, or service account) to determine whether rolebindings + on that subject are allowed in the namespace to which the RoleBindingRestriction + belongs. If any one of those RoleBindingRestriction objects matches a subject, + rolebindings on that subject in the namespace are allowed. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: Spec defines the matcher. + type: object + properties: + grouprestriction: + description: GroupRestriction matches against group subjects. + type: object + properties: + groups: + description: Groups is a list of groups used to match against an + individual user's groups. If the user is a member of one of the + whitelisted groups, the user is allowed to be bound to a role. + type: array + items: + type: string + nullable: true + labels: + description: Selectors specifies a list of label selectors over + group labels. + type: array + items: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An + empty label selector matches all objects. A null label selector + matches no objects. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + nullable: true + nullable: true + serviceaccountrestriction: + description: ServiceAccountRestriction matches against service-account + subjects. + type: object + properties: + namespaces: + description: Namespaces specifies a list of literal namespace names. + type: array + items: + type: string + serviceaccounts: + description: ServiceAccounts specifies a list of literal service-account + names. + type: array + items: + description: ServiceAccountReference specifies a service account + and namespace by their names. + type: object + properties: + name: + description: Name is the name of the service account. + type: string + namespace: + description: Namespace is the namespace of the service account. Service + accounts from inside the whitelisted namespaces are allowed + to be bound to roles. If Namespace is empty, then the namespace + of the RoleBindingRestriction in which the ServiceAccountReference + is embedded is used. + type: string + nullable: true + userrestriction: + description: UserRestriction matches against user subjects. + type: object + properties: + groups: + description: Groups specifies a list of literal group names. + type: array + items: + type: string + nullable: true + labels: + description: Selectors specifies a list of label selectors over + user labels. + type: array + items: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An + empty label selector matches all objects. A null label selector + matches no objects. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + nullable: true + users: + description: Users specifies a list of literal user names. + type: array + items: + type: string + nullable: true diff --git a/config/v1/0000_03_config-operator_01_operatorhub.crd.yaml b/config/v1/0000_03_config-operator_01_operatorhub.crd.yaml new file mode 100644 index 00000000000..1319141241d --- /dev/null +++ b/config/v1/0000_03_config-operator_01_operatorhub.crd.yaml @@ -0,0 +1,100 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: operatorhubs.config.openshift.io +spec: + group: config.openshift.io + names: + kind: OperatorHub + listKind: OperatorHubList + plural: operatorhubs + singular: operatorhub + scope: Cluster + subresources: + status: {} + version: v1 + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: OperatorHub is the Schema for the operatorhubs API. It can be used + to change the state of the default hub sources for OperatorHub on the cluster + from enabled to disabled and vice versa. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OperatorHubSpec defines the desired state of OperatorHub + type: object + properties: + disableAllDefaultSources: + description: disableAllDefaultSources allows you to disable all the + default hub sources. If this is true, a specific entry in sources + can be used to enable a default source. If this is false, a specific + entry in sources can be used to disable or enable a default source. + type: boolean + sources: + description: sources is the list of default hub sources and their configuration. + If the list is empty, it implies that the default hub sources are + enabled on the cluster unless disableAllDefaultSources is true. If + disableAllDefaultSources is true and sources is not empty, the configuration + present in sources will take precedence. The list of default hub sources + and their current state will always be reflected in the status block. + type: array + items: + description: HubSource is used to specify the hub source and its configuration + type: object + properties: + disabled: + description: disabled is used to disable a default hub source + on cluster + type: boolean + name: + description: name is the name of one of the default hub sources + type: string + maxLength: 253 + minLength: 1 + status: + description: OperatorHubStatus defines the observed state of OperatorHub. + The current state of the default hub sources will always be reflected + here. + type: object + properties: + sources: + description: sources encapsulates the result of applying the configuration + for each hub source + type: array + items: + description: HubSourceStatus is used to reflect the current state + of applying the configuration to a default source + type: object + properties: + disabled: + description: disabled is used to disable a default hub source + on cluster + type: boolean + message: + description: message provides more information regarding failures + type: string + name: + description: name is the name of one of the default hub sources + type: string + maxLength: 253 + minLength: 1 + status: + description: status indicates success or failure in applying the + configuration + type: string diff --git a/config/v1/0000_03_config-operator_01_proxy.crd.yaml b/config/v1/0000_03_config-operator_01_proxy.crd.yaml new file mode 100644 index 00000000000..35d92449d37 --- /dev/null +++ b/config/v1/0000_03_config-operator_01_proxy.crd.yaml @@ -0,0 +1,97 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: proxies.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + versions: + - name: v1 + served: true + storage: true + names: + kind: Proxy + listKind: ProxyList + plural: proxies + singular: proxy + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Proxy holds cluster-wide information on how to configure default + proxies for the cluster. The canonical name is `cluster` + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds user-settable values for the proxy configuration + type: object + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. Empty + means unset and will not result in an env var. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS requests. Empty + means unset and will not result in an env var. + type: string + noProxy: + description: noProxy is a comma-separated list of hostnames and/or CIDRs + for which the proxy should not be used. Empty means unset and will + not result in an env var. + type: string + readinessEndpoints: + description: readinessEndpoints is a list of endpoints used to verify + readiness of the proxy. + type: array + items: + type: string + trustedCA: + description: "trustedCA is a reference to a ConfigMap containing a CA + certificate bundle used for client egress HTTPS connections. The certificate + bundle must be from the CA that signed the proxy's certificate and + be signed for everything. The trustedCA field should only be consumed + by a proxy validator. The validator is responsible for reading the + certificate bundle from required key \"ca-bundle.crt\" and copying + it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" + namespace. The namespace for the ConfigMap referenced by trustedCA + is \"openshift-config\". Here is an example ConfigMap (in yaml): \n + apiVersion: v1 kind: ConfigMap metadata: name: user-ca-bundle namespace: + openshift-config data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- + \ Custom CA certificate bundle. -----END CERTIFICATE-----" + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS requests. + type: string + noProxy: + description: noProxy is a comma-separated list of hostnames and/or CIDRs + for which the proxy should not be used. + type: string diff --git a/config/v1/0000_10_config-operator_01_apiserver.crd.yaml b/config/v1/0000_10_config-operator_01_apiserver.crd.yaml new file mode 100644 index 00000000000..02e09f337b0 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_apiserver.crd.yaml @@ -0,0 +1,260 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + names: + kind: APIServer + singular: apiserver + plural: apiservers + listKind: APIServerList + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: APIServer holds configuration (like serving certificates, client + CA and CORS domains) shared by all API servers in the system, among them especially + kube-apiserver and openshift-apiserver. The canonical name of an instance + is 'cluster'. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + properties: + additionalCORSAllowedOrigins: + description: additionalCORSAllowedOrigins lists additional, user-defined + regular expressions describing hosts for which the API server allows + access using the CORS headers. This may be needed to access the API + and the integrated OAuth server from JavaScript applications. The + values are regular expressions that correspond to the Golang regular + expression language. + type: array + items: + type: string + clientCA: + description: 'clientCA references a ConfigMap containing a certificate + bundle for the signers that will be recognized for incoming client + certificates in addition to the operator managed signers. If this + is empty, then only operator managed signers are valid. You usually + only have to set this if you have your own PKI you wish to honor client + certificates from. The ConfigMap must exist in the openshift-config + namespace and contain the following required fields: - ConfigMap.Data["ca-bundle.crt"] + - CA bundle.' + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + encryption: + description: encryption allows the configuration of encryption of resources + at the datastore layer. + type: object + properties: + type: + description: "type defines what encryption type should be used to + encrypt resources at the datastore layer. When this field is unset + (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if + encryption is enabled by default, the meaning of unset may change + to a different encryption type based on changes in best practices. + \n When encryption is enabled, all sensitive resources shipped + with the platform are encrypted. This list of sensitive resources + can and will change over time. The current authoritative list + is: \n 1. secrets 2. configmaps 3. routes.route.openshift.io + \ 4. oauthaccesstokens.oauth.openshift.io 5. oauthauthorizetokens.oauth.openshift.io" + type: string + enum: + - "" + - identity + - aescbc + servingCerts: + description: servingCert is the TLS cert info for serving secure traffic. + If not specified, operator managed certificates will be used for serving + secure traffic. + type: object + properties: + namedCertificates: + description: namedCertificates references secrets containing the + TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates + match the server name as understood by a client, the defaultServingCertificate + will be used. + type: array + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + type: object + properties: + names: + description: names is a optional list of explicit DNS names + (leading wildcards allowed) that should use this certificate + to serve secure traffic. If no names are provided, the implicit + names will be extracted from the certificates. Exact names + trump over wildcard names. Explicit names defined here trump + over extracted implicit names. + type: array + items: + type: string + servingCertificate: + description: 'servingCertificate references a kubernetes.io/tls + type secret containing the TLS cert info for serving secure + traffic. The secret must exist in the openshift-config namespace + and contain the following required fields: - Secret.Data["tls.key"] + - TLS private key. - Secret.Data["tls.crt"] - TLS certificate.' + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + tlsSecurityProfile: + description: "tlsSecurityProfile specifies settings for TLS connections + for externally exposed servers. \n If unset, a default (which may + change between releases) is chosen." + type: object + properties: + custom: + description: "custom is a user-defined TLS security profile. Be + extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like this: + \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + \ - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 + \ tlsVersion: minimumVersion: TLSv1.1 maximumVersion: + TLSv1.2 dhParamSize: 1024" + type: object + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators may + remove entries their operands do not support. For example, + to use 3DES (yaml): \n ciphers: - 3DES" + type: array + items: + type: string + dhParamSize: + description: "dhParamSize sets the maximum size of the Diffie-Hellman + parameters used for generating the ephemeral/temporary Diffie-Hellman + key in case of DHE key exchange. The final size will try to + match the size of the server's RSA (or DSA) key (e.g, a 2048 + bits temporary DH key for a 2048 bits RSA key), but will not + exceed this maximum value. \n Available DH Parameter sizes + are: \n \"2048\": A Diffie-Hellman parameter of 2048 bits. + \ \"1024\": A Diffie-Hellman parameter of 1024 bits. \n For + example, to use a Diffie-Hellman parameter of 2048 bits (yaml): + \n dhParamSize: 2048" + type: string + tlsVersion: + description: "tlsVersion is used to specify one or more versions + of the TLS protocol that is negotiated during the TLS handshake. + For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): + \n tlsVersion: minimumVersion: TLSv1.1 maximumVersion: + TLSv1.3" + type: object + properties: + maximumVersion: + description: "maximumVersion enforces use of the specified + TLSProtocolVersion or older that are negotiated during + the TLS handshake. maximumVersion must be higher than + or equal to minimumVersion. \n If unset and minimumVersion + is set, maximumVersion will be set to minimumVersion. + If minimumVersion and maximumVersion are unset, the maximum + version is determined by the TLS security profile type. + \n TLSProfileType Modern: VersionTLS13 TLSProfileType + Intermediate: VersionTLS13 TLSProfileType Old: VersionTLS13 + \n Supported maximum versions are the same as minimum + versions." + type: string + minimumVersion: + description: "minimumVersion enforces use of the specified + TLSProtocolVersion or newer that are negotiated during + the TLS handshake. minimumVersion must be lower than or + equal to maximumVersion. \n If unset and maximumVersion + is set, minimumVersion will be set to maximumVersion. + If minimumVersion and maximumVersion are unset, the minimum + version is determined by the TLS security profile type. + \n TLSProfileType Modern: VersionTLS13 TLSProfileType + Intermediate: VersionTLS12 TLSProfileType Old: VersionTLS10 + \n Supported minimum versions are: \n \"TLSv1.3\": Version + 1.3 of the TLS security protocol. \"TLSv1.2\": Version + 1.2 of the TLS security protocol. \"TLSv1.1\": Version + 1.1 of the TLS security protocol. \"TLSv1.0\": Version + 1.0 of the TLS security protocol." + type: string + nullable: true + intermediate: + description: "intermediate is a TLS security profile based on: \n + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + \ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + \ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + \ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + \ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + \ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + \ tlsVersion: minimumVersion: TLSv1.2 maximumVersion: + TLSv1.3 dhParamSize: 2048" + type: object + nullable: true + modern: + description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + \ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + \ tlsVersion: minimumVersion: TLSv1.3 maximumVersion: + TLSv1.3 dhParamSize: 2048" + type: object + nullable: true + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + \ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + \ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + \ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + \ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + \ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + \ - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 + \ - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - + ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 + \ - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - + DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 + \ - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 + \ - AES128-SHA - AES256-SHA - DES-CBC3-SHA tlsVersion: + \ minimumVersion: TLSv1.0 maximumVersion: TLSv1.3 dhParamSize: + 1024" + type: object + nullable: true + type: + description: "type is one of Old, Intermediate, Modern or Custom. + Custom provides the ability to specify individual TLS security + profile parameters. Old, Intermediate and Modern are TLS security + profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over time + as new ciphers are developed and existing ciphers are found to + be insecure. Depending on precisely which ciphers are available + to a process, the list may be reduced." + type: string + status: + type: object diff --git a/config/v1/0000_10_config-operator_01_authentication.crd.yaml b/config/v1/0000_10_config-operator_01_authentication.crd.yaml new file mode 100644 index 00000000000..a5e3479f5c8 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_authentication.crd.yaml @@ -0,0 +1,123 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: Authentication specifies cluster-wide settings for authentication + (like OAuth and webhook token authenticators). The canonical name of an instance + is `cluster`. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + oauthMetadata: + description: 'oauthMetadata contains the discovery endpoint data for + OAuth 2.0 Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: oc + get --raw ''/.well-known/oauth-authorization-server'' For further + details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence over + any metadata reference stored in status. The key "oauthMetadata" is + used to locate the data. If specified and the config map or expected + key is not found, no metadata is served. If the specified metadata + is not valid, no metadata is served. The namespace for this config + map is openshift-config.' + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + type: + description: type identifies the cluster managed, user facing authentication + mode in use. Specifically, it manages the component that responds + to login attempts. The default is IntegratedOAuth. + type: string + webhookTokenAuthenticators: + description: webhookTokenAuthenticators configures remote token reviewers. + These remote authentication webhooks can be used to verify bearer + tokens via the tokenreviews.authentication.k8s.io REST API. This + is required to honor bearer tokens that are provisioned by an external + authentication service. The namespace for these secrets is openshift-config. + type: array + items: + description: webhookTokenAuthenticator holds the necessary configuration + options for a remote token authenticator + type: object + properties: + kubeConfig: + description: 'kubeConfig contains kube config file data which + describes how to access the remote webhook service. For further + details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. If the secret + or expected key is not found, the webhook is not honored. If + the specified kube config data is not valid, the webhook is + not honored. The namespace for this secret is determined by + the point of use.' + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + integratedOAuthMetadata: + description: 'integratedOAuthMetadata contains the discovery endpoint + data for OAuth 2.0 Authorization Server Metadata for the in-cluster + integrated OAuth server. This discovery document can be viewed from + its served location: oc get --raw ''/.well-known/oauth-authorization-server'' + For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. An explicitly + set value in spec.oauthMetadata has precedence over this field. This + field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. If the config + map or expected key is not found, no metadata is served. If the specified + metadata is not valid, no metadata is served. The namespace for this + config map is openshift-config-managed.' + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string diff --git a/config/v1/0000_10_config-operator_01_build.crd.yaml b/config/v1/0000_10_config-operator_01_build.crd.yaml new file mode 100644 index 00000000000..1f11db48d5f --- /dev/null +++ b/config/v1/0000_10_config-operator_01_build.crd.yaml @@ -0,0 +1,365 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: builds.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + names: + kind: Build + singular: build + plural: builds + listKind: BuildList + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: "Build configures the behavior of OpenShift builds for the entire + cluster. This includes default settings that can be overridden in BuildConfig + objects, and overrides which are applied to all builds. \n The canonical name + is \"cluster\"" + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds user-settable values for the build controller configuration + type: object + properties: + additionalTrustedCA: + description: "AdditionalTrustedCA is a reference to a ConfigMap containing + additional CAs that should be trusted for image pushes and pulls during + builds. The namespace for this config map is openshift-config. \n + DEPRECATED: Additional CAs for image pull and push should be set on + image.config.openshift.io/cluster instead." + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + buildDefaults: + description: BuildDefaults controls the default information for Builds + type: object + properties: + defaultProxy: + description: "DefaultProxy contains the default proxy settings for + all build operations, including image pull/push and source download. + \n Values can be overrode by setting the `HTTP_PROXY`, `HTTPS_PROXY`, + and `NO_PROXY` environment variables in the build config's strategy." + type: object + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. Empty + means unset and will not result in an env var. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS requests. Empty + means unset and will not result in an env var. + type: string + noProxy: + description: noProxy is a comma-separated list of hostnames + and/or CIDRs for which the proxy should not be used. Empty + means unset and will not result in an env var. + type: string + readinessEndpoints: + description: readinessEndpoints is a list of endpoints used + to verify readiness of the proxy. + type: array + items: + type: string + trustedCA: + description: "trustedCA is a reference to a ConfigMap containing + a CA certificate bundle used for client egress HTTPS connections. + The certificate bundle must be from the CA that signed the + proxy's certificate and be signed for everything. The trustedCA + field should only be consumed by a proxy validator. The validator + is responsible for reading the certificate bundle from required + key \"ca-bundle.crt\" and copying it to a ConfigMap named + \"trusted-ca-bundle\" in the \"openshift-config-managed\" + namespace. The namespace for the ConfigMap referenced by trustedCA + is \"openshift-config\". Here is an example ConfigMap (in + yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: + user-ca-bundle namespace: openshift-config data: ca-bundle.crt: + | -----BEGIN CERTIFICATE----- Custom CA certificate + bundle. -----END CERTIFICATE-----" + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + env: + description: Env is a set of default environment variables that + will be applied to the build if the specified variables do not + exist on the build + type: array + items: + description: EnvVar represents an environment variable present + in a Container. + type: object + required: + - name + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previous defined environment variables in the + container and any service environment variables. If a variable + cannot be resolved, the reference in the input string will + be unchanged. The $(VAR_NAME) syntax can be escaped with + a double $$, ie: $$(VAR_NAME). Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed + resources, defaults to "1" + type: string + resource: + description: 'Required: resource to select' + type: string + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + gitProxy: + description: "GitProxy contains the proxy settings for git operations + only. If set, this will override any Proxy settings for all git + commands, such as git clone. \n Values that are not set here will + be inherited from DefaultProxy." + type: object + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. Empty + means unset and will not result in an env var. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS requests. Empty + means unset and will not result in an env var. + type: string + noProxy: + description: noProxy is a comma-separated list of hostnames + and/or CIDRs for which the proxy should not be used. Empty + means unset and will not result in an env var. + type: string + readinessEndpoints: + description: readinessEndpoints is a list of endpoints used + to verify readiness of the proxy. + type: array + items: + type: string + trustedCA: + description: "trustedCA is a reference to a ConfigMap containing + a CA certificate bundle used for client egress HTTPS connections. + The certificate bundle must be from the CA that signed the + proxy's certificate and be signed for everything. The trustedCA + field should only be consumed by a proxy validator. The validator + is responsible for reading the certificate bundle from required + key \"ca-bundle.crt\" and copying it to a ConfigMap named + \"trusted-ca-bundle\" in the \"openshift-config-managed\" + namespace. The namespace for the ConfigMap referenced by trustedCA + is \"openshift-config\". Here is an example ConfigMap (in + yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: + user-ca-bundle namespace: openshift-config data: ca-bundle.crt: + | -----BEGIN CERTIFICATE----- Custom CA certificate + bundle. -----END CERTIFICATE-----" + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + imageLabels: + description: ImageLabels is a list of docker labels that are applied + to the resulting image. User can override a default label by providing + a label with the same name in their Build/BuildConfig. + type: array + items: + type: object + properties: + name: + description: Name defines the name of the label. It must have + non-zero length. + type: string + value: + description: Value defines the literal value of the label. + type: string + resources: + description: Resources defines resource requirements to execute + the build. + type: object + properties: + limits: + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + additionalProperties: + type: string + requests: + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + additionalProperties: + type: string + buildOverrides: + description: BuildOverrides controls override settings for builds + type: object + properties: + imageLabels: + description: ImageLabels is a list of docker labels that are applied + to the resulting image. If user provided a label in their Build/BuildConfig + with the same name as one in this list, the user's label will + be overwritten. + type: array + items: + type: object + properties: + name: + description: Name defines the name of the label. It must have + non-zero length. + type: string + value: + description: Value defines the literal value of the label. + type: string + nodeSelector: + description: NodeSelector is a selector which must be true for the + build pod to fit on a node + type: object + additionalProperties: + type: string + tolerations: + description: Tolerations is a list of Tolerations that will override + any existing tolerations set on a build pod. + type: array + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do + not evict). Zero and negative values will be treated as + 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string diff --git a/config/v1/0000_10_config-operator_01_console.crd.yaml b/config/v1/0000_10_config-operator_01_console.crd.yaml new file mode 100644 index 00000000000..8d07e581fd8 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_console.crd.yaml @@ -0,0 +1,70 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: consoles.config.openshift.io +spec: + scope: Cluster + group: config.openshift.io + names: + kind: Console + listKind: ConsoleList + plural: consoles + singular: console + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: Console holds cluster-wide configuration for the web console, including + the logout URL, and reports the public URL of the console. The canonical name + is `cluster`. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + authentication: + description: ConsoleAuthentication defines a list of optional configuration + for console authentication. + type: object + properties: + logoutRedirect: + description: 'An optional, absolute URL to redirect web browsers + to after logging out of the console. If not specified, it will + redirect to the default login page. This is required when using + an identity provider that supports single sign-on (SSO) such as: + - OpenID (Keycloak, Azure) - RequestHeader (GSSAPI, SSPI, SAML) + - OAuth (GitHub, GitLab, Google) Logging out of the console will + destroy the user''s token. The logoutRedirect provides the user + the option to perform single logout (SLO) through the identity + provider to destroy their single sign-on session.' + type: string + pattern: ^$|^((https):\/\/?)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/?))$ + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + consoleURL: + description: The URL for the console. This will be derived from the + host for the route that is created for the console. + type: string diff --git a/config/v1/0000_10_config-operator_01_dns.crd.yaml b/config/v1/0000_10_config-operator_01_dns.crd.yaml new file mode 100644 index 00000000000..dba624615a2 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_dns.crd.yaml @@ -0,0 +1,100 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: DNS holds cluster-wide information about DNS. The canonical name + is `cluster` + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + baseDomain: + description: "baseDomain is the base domain of the cluster. All managed + DNS records will be sub-domains of this base. \n For example, given + the base domain `openshift.example.com`, an API server DNS record + may be created for `cluster-api.openshift.example.com`. \n Once set, + this field cannot be changed." + type: string + privateZone: + description: "privateZone is the location where all the DNS records + that are only available internally to the cluster exist. \n If this + field is nil, no private records should be created. \n Once set, this + field cannot be changed." + type: object + properties: + id: + description: "id is the identifier that can be used to find the + DNS hosted zone. \n on AWS zone can be fetched using `ID` as id + in [1] on Azure zone can be fetched using `ID` as a pre-determined + name in [2], on GCP zone can be fetched using `ID` as a pre-determined + name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get" + type: string + tags: + description: "tags can be used to query the DNS hosted zone. \n + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone + using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options" + type: object + additionalProperties: + type: string + publicZone: + description: "publicZone is the location where all the DNS records that + are publicly accessible to the internet exist. \n If this field is + nil, no public records should be created. \n Once set, this field + cannot be changed." + type: object + properties: + id: + description: "id is the identifier that can be used to find the + DNS hosted zone. \n on AWS zone can be fetched using `ID` as id + in [1] on Azure zone can be fetched using `ID` as a pre-determined + name in [2], on GCP zone can be fetched using `ID` as a pre-determined + name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get" + type: string + tags: + description: "tags can be used to query the DNS hosted zone. \n + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone + using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options" + type: object + additionalProperties: + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object diff --git a/config/v1/0000_10_config-operator_01_featuregate.crd.yaml b/config/v1/0000_10_config-operator_01_featuregate.crd.yaml new file mode 100644 index 00000000000..fedbdb813e7 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_featuregate.crd.yaml @@ -0,0 +1,76 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: featuregates.config.openshift.io +spec: + group: config.openshift.io + version: v1 + scope: Cluster + names: + kind: FeatureGate + singular: featuregate + plural: featuregates + listKind: FeatureGateList + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Feature holds cluster-wide information about feature gates. The + canonical name is `cluster` + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + customNoUpgrade: + description: customNoUpgrade allows the enabling or disabling of any + feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, + and PREVENTS UPGRADES. Because of its nature, this setting cannot + be validated. If you have any typos or accidentally apply invalid + combinations your cluster may fail in an unrecoverable way. featureSet + must equal "CustomNoUpgrade" must be set to use this field. + type: object + properties: + disabled: + description: disabled is a list of all feature gates that you want + to force off + type: array + items: + type: string + enabled: + description: enabled is a list of all feature gates that you want + to force on + type: array + items: + type: string + nullable: true + featureSet: + description: featureSet changes the list of features in the cluster. The + default is empty. Be very careful adjusting this setting. Turning + on or off features may cause irreversible changes in your cluster + which cannot be undone. + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object diff --git a/config/v1/0000_10_config-operator_01_image.crd.yaml b/config/v1/0000_10_config-operator_01_image.crd.yaml new file mode 100644 index 00000000000..17ef929904d --- /dev/null +++ b/config/v1/0000_10_config-operator_01_image.crd.yaml @@ -0,0 +1,144 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: images.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + names: + kind: Image + singular: image + plural: images + listKind: ImageList + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Image governs policies related to imagestream imports and runtime + configuration for external registries. It allows cluster admins to configure + which registries OpenShift is allowed to import images from, extra CA trust + bundles for external registries, and policies to blacklist/whitelist registry + hostnames. When exposing OpenShift's image registry to the public, this also + lets cluster admins specify the external hostname. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + additionalTrustedCA: + description: additionalTrustedCA is a reference to a ConfigMap containing + additional CAs that should be trusted during imagestream import, pod + image pull, build image pull, and imageregistry pullthrough. The namespace + for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + allowedRegistriesForImport: + description: allowedRegistriesForImport limits the container image registries + that normal users may import images from. Set this list to the registries + that you trust to contain valid Docker images and that you want applications + to be able to import from. Users with permission to create Images + or ImageStreamMappings via the API are not affected by this policy + - typically only administrators or system integrations will have those + permissions. + type: array + items: + description: RegistryLocation contains a location of the registry + specified by the registry domain name. The domain name might include + wildcards, like '*' or '??'. + type: object + properties: + domainName: + description: domainName specifies a domain name for the registry + In case the registry use non-standard (80 or 443) port, the + port should be included in the domain name as well. + type: string + insecure: + description: insecure indicates whether the registry is secure + (https) or insecure (http) By default (if not specified) the + registry is assumed as secure. + type: boolean + externalRegistryHostnames: + description: externalRegistryHostnames provides the hostnames for the + default external image registry. The external hostname should be set + only when the image registry is exposed externally. The first value + is used in 'publicDockerImageRepository' field in ImageStreams. The + value must be in "hostname[:port]" format. + type: array + items: + type: string + registrySources: + description: registrySources contains configuration that determines + how the container runtime should treat individual registries when + accessing images for builds+pods. (e.g. whether or not to allow insecure + access). It does not contain configuration for the internal cluster + registry. + type: object + properties: + allowedRegistries: + description: "allowedRegistries are whitelisted for image pull/push. + All other registries are blocked. \n Only one of BlockedRegistries + or AllowedRegistries may be set." + type: array + items: + type: string + blockedRegistries: + description: "blockedRegistries are blacklisted from image pull/push. + All other registries are allowed. \n Only one of BlockedRegistries + or AllowedRegistries may be set." + type: array + items: + type: string + insecureRegistries: + description: insecureRegistries are registries which do not have + a valid TLS certificates or only support HTTP connections. + type: array + items: + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + externalRegistryHostnames: + description: externalRegistryHostnames provides the hostnames for the + default external image registry. The external hostname should be set + only when the image registry is exposed externally. The first value + is used in 'publicDockerImageRepository' field in ImageStreams. The + value must be in "hostname[:port]" format. + type: array + items: + type: string + internalRegistryHostname: + description: internalRegistryHostname sets the hostname for the default + internal image registry. The value must be in "hostname[:port]" format. + This value is set by the image registry operator which controls the + internal registry hostname. For backward compatibility, users can + still use OPENSHIFT_DEFAULT_REGISTRY environment variable but this + setting overrides the environment variable. + type: string diff --git a/config/v1/0000_10_config-operator_01_infrastructure.crd.yaml b/config/v1/0000_10_config-operator_01_infrastructure.crd.yaml new file mode 100644 index 00000000000..c27e96abd49 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_infrastructure.crd.yaml @@ -0,0 +1,189 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: infrastructures.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Infrastructure + listKind: InfrastructureList + plural: infrastructures + singular: infrastructure + scope: Cluster + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: Infrastructure holds cluster-wide information about Infrastructure. The + canonical name is `cluster` + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + cloudConfig: + description: cloudConfig is a reference to a ConfigMap containing the + cloud provider configuration file. This configuration file is used + to configure the Kubernetes cloud provider integration when using + the built-in cloud provider integration or the external cloud controller + manager. The namespace for this config map is openshift-config. + type: object + properties: + key: + description: Key allows pointing to a specific key/value inside + of the configmap. This is useful for logical file references. + type: string + name: + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + apiServerInternalURI: + description: apiServerInternalURL is a valid URI with scheme(http/https), + address and port. apiServerInternalURL can be used by components + like kubelets, to contact the Kubernetes API server using the infrastructure + provider rather than Kubernetes networking. + type: string + apiServerURL: + description: apiServerURL is a valid URI with scheme(http/https), address + and port. apiServerURL can be used by components like the web console + to tell users where to find the Kubernetes API. + type: string + etcdDiscoveryDomain: + description: 'etcdDiscoveryDomain is the domain used to fetch the SRV + records for discovering etcd servers and clients. For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery' + type: string + infrastructureName: + description: infrastructureName uniquely identifies a cluster with a + human friendly name. Once set it should not be changed. Must be of + max length 27 and must have only alphanumeric or hyphen characters. + type: string + platform: + description: "platform is the underlying infrastructure provider for + the cluster. \n Deprecated: Use platformStatus.type instead." + type: string + platformStatus: + description: platformStatus holds status information specific to the + underlying infrastructure provider. + type: object + properties: + aws: + description: AWS contains settings specific to the Amazon Web Services + infrastructure provider. + type: object + properties: + region: + description: region holds the default AWS region for new AWS + resources created by the cluster. + type: string + azure: + description: Azure contains settings specific to the Azure infrastructure + provider. + type: object + properties: + resourceGroupName: + description: resourceGroupName is the Resource Group for new + Azure resources created for the cluster. + type: string + baremetal: + description: BareMetal contains settings specific to the BareMetal + platform. + type: object + properties: + apiServerInternalIP: + description: apiServerInternalIP is an IP address to contact + the Kubernetes API server that can be used by components inside + the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in + front of the API servers. + type: string + ingressIP: + description: ingressIP is an external IP which routes to the + default ingress controller. The IP is a suitable target of + a wildcard DNS record used to resolve default route host names. + type: string + nodeDNSIP: + description: nodeDNSIP is the IP address for the internal DNS + used by the nodes. Unlike the one managed by the DNS operator, + `NodeDNSIP` provides name resolution for the nodes themselves. + There is no DNS-as-a-service for BareMetal deployments. In + order to minimize necessary changes to the datacenter DNS, + a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + gcp: + description: GCP contains settings specific to the Google Cloud + Platform infrastructure provider. + type: object + properties: + projectID: + description: resourceGroupName is the Project ID for new GCP + resources created for the cluster. + type: string + region: + description: region holds the region for new GCP resources created + for the cluster. + type: string + openstack: + description: OpenStack contains settings specific to the OpenStack + infrastructure provider. + type: object + properties: + apiServerInternalIP: + description: apiServerInternalIP is an IP address to contact + the Kubernetes API server that can be used by components inside + the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in + front of the API servers. + type: string + cloudName: + description: cloudName is the name of the desired OpenStack + cloud in the client configuration file (`clouds.yaml`). + type: string + ingressIP: + description: ingressIP is an external IP which routes to the + default ingress controller. The IP is a suitable target of + a wildcard DNS record used to resolve default route host names. + type: string + nodeDNSIP: + description: nodeDNSIP is the IP address for the internal DNS + used by the nodes. Unlike the one managed by the DNS operator, + `NodeDNSIP` provides name resolution for the nodes themselves. + There is no DNS-as-a-service for OpenStack deployments. In + order to minimize necessary changes to the datacenter DNS, + a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: + description: type is the underlying infrastructure provider for + the cluster. This value controls whether infrastructure automation + such as service load balancers, dynamic volume provisioning, machine + creation and deletion, and other integrations are enabled. If + None, no infrastructure automation is enabled. Allowed values + are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", "OpenStack", + "VSphere", "oVirt", and "None". Individual components may not + support all platforms, and must handle unrecognized platforms + as None if they do not support that platform. + type: string diff --git a/config/v1/0000_10_config-operator_01_ingress.crd.yaml b/config/v1/0000_10_config-operator_01_ingress.crd.yaml new file mode 100644 index 00000000000..2812ce85b2a --- /dev/null +++ b/config/v1/0000_10_config-operator_01_ingress.crd.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingresses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Ingress + listKind: IngressList + plural: ingresses + singular: ingress + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Ingress holds cluster-wide information about ingress, including + the default ingress domain used for routes. The canonical name is `cluster`. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + domain: + description: "domain is used to generate a default host name for a route + when the route's host name is empty. The generated host name will + follow this pattern: \"..\". + \n It is also used as the default wildcard domain suffix for ingress. + The default ingresscontroller domain will follow this pattern: \"*.\". + \n Once set, changing domain is not currently supported." + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object diff --git a/config/v1/0000_10_config-operator_01_network.crd.yaml b/config/v1/0000_10_config-operator_01_network.crd.yaml new file mode 100644 index 00000000000..4eacca11bf7 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_network.crd.yaml @@ -0,0 +1,141 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networks.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Network + listKind: NetworkList + plural: networks + singular: network + scope: Cluster + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: 'Network holds cluster-wide information about Network. The canonical + name is `cluster`. It is used to configure the desired network configuration, + such as: IP address pools for services/pod IPs, network plugin, etc. Please + view network.spec for an explanation on what applies when configuring this + resource.' + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration. As a general + rule, this SHOULD NOT be read directly. Instead, you should consume the + NetworkStatus, as it indicates the currently deployed configuration. Currently, + most spec fields are immutable after installation. Please view the individual + ones for further details on each. + type: object + properties: + clusterNetwork: + description: IP address pool to use for pod IPs. This field is immutable + after installation. + type: array + items: + description: ClusterNetworkEntry is a contiguous block of IP addresses + from which pod IPs are allocated. + type: object + properties: + cidr: + description: The complete block for pod IPs. + type: string + hostPrefix: + description: The size (prefix) of block to allocate to each node. + type: integer + format: int32 + minimum: 0 + externalIP: + description: externalIP defines configuration for controllers that affect + Service.ExternalIP. If nil, then ExternalIP is not allowed to be set. + type: object + properties: + autoAssignCIDRs: + description: autoAssignCIDRs is a list of CIDRs from which to automatically + assign Service.ExternalIP. These are assigned when the service + is of type LoadBalancer. In general, this is only useful for bare-metal + clusters. In Openshift 3.x, this was misleadingly called "IngressIPs". + Automatically assigned External IPs are not affected by any ExternalIPPolicy + rules. Currently, only one entry may be provided. + type: array + items: + type: string + policy: + description: policy is a set of restrictions applied to the ExternalIP + field. If nil or empty, then ExternalIP is not allowed to be set. + type: object + properties: + allowedCIDRs: + description: allowedCIDRs is the list of allowed CIDRs. + type: array + items: + type: string + rejectedCIDRs: + description: rejectedCIDRs is the list of disallowed CIDRs. + These take precedence over allowedCIDRs. + type: array + items: + type: string + networkType: + description: 'NetworkType is the plugin that is to be deployed (e.g. + OpenShiftSDN). This should match a value that the cluster-network-operator + understands, or else no networking will be installed. Currently supported + values are: - OpenShiftSDN This field is immutable after installation.' + type: string + serviceNetwork: + description: IP address pool for services. Currently, we only support + a single entry here. This field is immutable after installation. + type: array + items: + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + properties: + clusterNetwork: + description: IP address pool to use for pod IPs. + type: array + items: + description: ClusterNetworkEntry is a contiguous block of IP addresses + from which pod IPs are allocated. + type: object + properties: + cidr: + description: The complete block for pod IPs. + type: string + hostPrefix: + description: The size (prefix) of block to allocate to each node. + type: integer + format: int32 + minimum: 0 + clusterNetworkMTU: + description: ClusterNetworkMTU is the MTU for inter-pod networking. + type: integer + networkType: + description: NetworkType is the plugin that is deployed (e.g. OpenShiftSDN). + type: string + serviceNetwork: + description: IP address pool for services. Currently, we only support + a single entry here. + type: array + items: + type: string diff --git a/config/v1/0000_10_config-operator_01_oauth.crd.yaml b/config/v1/0000_10_config-operator_01_oauth.crd.yaml new file mode 100644 index 00000000000..6a7b43ccb4d --- /dev/null +++ b/config/v1/0000_10_config-operator_01_oauth.crd.yaml @@ -0,0 +1,660 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: oauths.config.openshift.io +spec: + group: config.openshift.io + names: + kind: OAuth + listKind: OAuthList + plural: oauths + singular: oauth + scope: Cluster + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: OAuth holds cluster-wide information about OAuth. The canonical + name is `cluster`. It is used to configure the integrated OAuth server. This + configuration is only honored when the top level Authentication config has + type set to IntegratedOAuth. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OAuthSpec contains desired cluster auth configuration + type: object + properties: + identityProviders: + description: identityProviders is an ordered list of ways for a user + to identify themselves. When this list is empty, no identities are + provisioned for users. + type: array + items: + description: IdentityProvider provides identities for users authenticating + using credentials + type: object + properties: + basicAuth: + description: basicAuth contains configuration options for the + BasicAuth IdP + type: object + properties: + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + tlsClientCert: + description: tlsClientCert is an optional reference to a secret + by name that contains the PEM-encoded TLS client certificate + to present when connecting to the server. The key "tls.crt" + is used to locate the data. If specified and the secret + or expected key is not found, the identity provider is not + honored. If the specified certificate data is not valid, + the identity provider is not honored. The namespace for + this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + tlsClientKey: + description: tlsClientKey is an optional reference to a secret + by name that contains the PEM-encoded TLS private key for + the client certificate referenced in tlsClientCert. The + key "tls.key" is used to locate the data. If specified and + the secret or expected key is not found, the identity provider + is not honored. If the specified certificate data is not + valid, the identity provider is not honored. The namespace + for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + url: + description: url is the remote URL to connect to + type: string + github: + description: github enables user authentication using GitHub credentials + type: object + properties: + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + This can only be configured when hostname is set to a non-empty + value. The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: clientSecret is a required reference to the secret + by name containing the oauth client secret. The key "clientSecret" + is used to locate the data. If the secret or expected key + is not found, the identity provider is not honored. The + namespace for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + hostname: + description: hostname is the optional domain (e.g. "mycompany.com") + for use with a hosted instance of GitHub Enterprise. It + must match the GitHub Enterprise settings value configured + at /setup/settings#hostname. + type: string + organizations: + description: organizations optionally restricts which organizations + are allowed to log in + type: array + items: + type: string + teams: + description: teams optionally restricts which teams are allowed + to log in. Format is /. + type: array + items: + type: string + gitlab: + description: gitlab enables user authentication using GitLab credentials + type: object + properties: + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: clientSecret is a required reference to the secret + by name containing the oauth client secret. The key "clientSecret" + is used to locate the data. If the secret or expected key + is not found, the identity provider is not honored. The + namespace for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + url: + description: url is the oauth server base URL + type: string + google: + description: google enables user authentication using Google credentials + type: object + properties: + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: clientSecret is a required reference to the secret + by name containing the oauth client secret. The key "clientSecret" + is used to locate the data. If the secret or expected key + is not found, the identity provider is not honored. The + namespace for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + hostedDomain: + description: hostedDomain is the optional Google App domain + (e.g. "mycompany.com") to restrict logins to + type: string + htpasswd: + description: htpasswd enables user authentication using an HTPasswd + file to validate credentials + type: object + properties: + fileData: + description: fileData is a required reference to a secret + by name containing the data to use as the htpasswd file. + The key "htpasswd" is used to locate the data. If the secret + or expected key is not found, the identity provider is not + honored. If the specified htpasswd data is not valid, the + identity provider is not honored. The namespace for this + secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + keystone: + description: keystone enables user authentication using keystone + password credentials + type: object + properties: + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + domainName: + description: domainName is required for keystone v3 + type: string + tlsClientCert: + description: tlsClientCert is an optional reference to a secret + by name that contains the PEM-encoded TLS client certificate + to present when connecting to the server. The key "tls.crt" + is used to locate the data. If specified and the secret + or expected key is not found, the identity provider is not + honored. If the specified certificate data is not valid, + the identity provider is not honored. The namespace for + this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + tlsClientKey: + description: tlsClientKey is an optional reference to a secret + by name that contains the PEM-encoded TLS private key for + the client certificate referenced in tlsClientCert. The + key "tls.key" is used to locate the data. If specified and + the secret or expected key is not found, the identity provider + is not honored. If the specified certificate data is not + valid, the identity provider is not honored. The namespace + for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + url: + description: url is the remote URL to connect to + type: string + ldap: + description: ldap enables user authentication using LDAP credentials + type: object + properties: + attributes: + description: attributes maps LDAP attributes to identities + type: object + properties: + email: + description: email is the list of attributes whose values + should be used as the email address. Optional. If unspecified, + no email is set for the identity + type: array + items: + type: string + id: + description: id is the list of attributes whose values + should be used as the user ID. Required. First non-empty + attribute is used. At least one attribute is required. + If none of the listed attribute have a value, authentication + fails. LDAP standard identity attribute is "dn" + type: array + items: + type: string + name: + description: name is the list of attributes whose values + should be used as the display name. Optional. If unspecified, + no display name is set for the identity LDAP standard + display name attribute is "cn" + type: array + items: + type: string + preferredUsername: + description: preferredUsername is the list of attributes + whose values should be used as the preferred username. + LDAP standard login attribute is "uid" + type: array + items: + type: string + bindDN: + description: bindDN is an optional DN to bind with during + the search phase. + type: string + bindPassword: + description: bindPassword is an optional reference to a secret + by name containing a password to bind with during the search + phase. The key "bindPassword" is used to locate the data. + If specified and the secret or expected key is not found, + the identity provider is not honored. The namespace for + this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + insecure: + description: 'insecure, if true, indicates the connection + should not use TLS WARNING: Should not be set to `true` + with the URL scheme "ldaps://" as "ldaps://" URLs always attempt + to connect using TLS, even when `insecure` is set to `true` + When `true`, "ldap://" URLS connect insecurely. When `false`, + "ldap://" URLs are upgraded to a TLS connection using StartTLS + as specified in https://tools.ietf.org/html/rfc2830.' + type: boolean + url: + description: 'url is an RFC 2255 URL which specifies the LDAP + search parameters to use. The syntax of the URL is: ldap://host:port/basedn?attribute?scope?filter' + type: string + mappingMethod: + description: mappingMethod determines how identities from this + provider are mapped to users Defaults to "claim" + type: string + name: + description: 'name is used to qualify the identities returned + by this provider. - It MUST be unique and not shared by any + other identity provider used - It MUST be a valid path segment: + name cannot equal "." or ".." or contain "/" or "%" or ":" Ref: + https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName' + type: string + openID: + description: openID enables user authentication using OpenID credentials + type: object + properties: + ca: + description: ca is an optional reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. The key "ca.crt" is used to locate + the data. If specified and the config map or expected key + is not found, the identity provider is not honored. If the + specified ca data is not valid, the identity provider is + not honored. If empty, the default system roots are used. + The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + claims: + description: claims mappings + type: object + properties: + email: + description: email is the list of claims whose values + should be used as the email address. Optional. If unspecified, + no email is set for the identity + type: array + items: + type: string + name: + description: name is the list of claims whose values should + be used as the display name. Optional. If unspecified, + no display name is set for the identity + type: array + items: + type: string + preferredUsername: + description: preferredUsername is the list of claims whose + values should be used as the preferred username. If + unspecified, the preferred username is determined from + the value of the sub claim + type: array + items: + type: string + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: clientSecret is a required reference to the secret + by name containing the oauth client secret. The key "clientSecret" + is used to locate the data. If the secret or expected key + is not found, the identity provider is not honored. The + namespace for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + extraAuthorizeParameters: + description: extraAuthorizeParameters are any custom parameters + to add to the authorize request. + type: object + additionalProperties: + type: string + extraScopes: + description: extraScopes are any scopes to request in addition + to the standard "openid" scope. + type: array + items: + type: string + issuer: + description: issuer is the URL that the OpenID Provider asserts + as its Issuer Identifier. It must use the https scheme with + no query or fragment component. + type: string + requestHeader: + description: requestHeader enables user authentication using request + header credentials + type: object + properties: + ca: + description: ca is a required reference to a config map by + name containing the PEM-encoded CA bundle. It is used as + a trust anchor to validate the TLS certificate presented + by the remote server. Specifically, it allows verification + of incoming requests to prevent header spoofing. The key + "ca.crt" is used to locate the data. If the config map or + expected key is not found, the identity provider is not + honored. If the specified ca data is not valid, the identity + provider is not honored. The namespace for this config map + is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + challengeURL: + description: challengeURL is a URL to redirect unauthenticated + /authorize requests to Unauthenticated requests from OAuth + clients which expect WWW-Authenticate challenges will be + redirected here. ${url} is replaced with the current URL, + escaped to be safe in a query parameter https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when challenge is set to true. + type: string + clientCommonNames: + description: clientCommonNames is an optional list of common + names to require a match from. If empty, any client certificate + validated against the clientCA bundle is considered authoritative. + type: array + items: + type: string + emailHeaders: + description: emailHeaders is the set of headers to check for + the email address + type: array + items: + type: string + headers: + description: headers is the set of headers to check for identity + information + type: array + items: + type: string + loginURL: + description: loginURL is a URL to redirect unauthenticated + /authorize requests to Unauthenticated requests from OAuth + clients which expect interactive logins will be redirected + here ${url} is replaced with the current URL, escaped to + be safe in a query parameter https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when login is set to true. + type: string + nameHeaders: + description: nameHeaders is the set of headers to check for + the display name + type: array + items: + type: string + preferredUsernameHeaders: + description: preferredUsernameHeaders is the set of headers + to check for the preferred username + type: array + items: + type: string + type: + description: type identifies the identity provider type for this + entry. + type: string + templates: + description: templates allow you to customize pages like the login page. + type: object + properties: + error: + description: error is the name of a secret that specifies a go template + to use to render error pages during the authentication or grant + flow. The key "errors.html" is used to locate the template data. + If specified and the secret or expected key is not found, the + default error page is used. If the specified template is not valid, + the default error page is used. If unspecified, the default error + page is used. The namespace for this secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + login: + description: login is the name of a secret that specifies a go template + to use to render the login page. The key "login.html" is used + to locate the template data. If specified and the secret or expected + key is not found, the default login page is used. If the specified + template is not valid, the default login page is used. If unspecified, + the default login page is used. The namespace for this secret + is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + providerSelection: + description: providerSelection is the name of a secret that specifies + a go template to use to render the provider selection page. The + key "providers.html" is used to locate the template data. If specified + and the secret or expected key is not found, the default provider + selection page is used. If the specified template is not valid, + the default provider selection page is used. If unspecified, the + default provider selection page is used. The namespace for this + secret is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + tokenConfig: + description: tokenConfig contains options for authorization and access + tokens + type: object + properties: + accessTokenInactivityTimeoutSeconds: + description: 'accessTokenInactivityTimeoutSeconds defines the default + token inactivity timeout for tokens granted by any client. The + value represents the maximum amount of time that can occur between + consecutive uses of the token. Tokens become invalid if they are + not used within this temporal window. The user will need to acquire + a new token to regain access once a token times out. Valid values + are integer values: x < 0 Tokens time out is enabled but tokens + never timeout unless configured per client (e.g. `-1`) x = 0 Tokens + time out is disabled (default) x > 0 Tokens time out if there + is no activity for x seconds The current minimum allowed value + for X is 300 (5 minutes)' + type: integer + format: int32 + accessTokenMaxAgeSeconds: + description: accessTokenMaxAgeSeconds defines the maximum age of + access tokens + type: integer + format: int32 + status: + description: OAuthStatus shows current known state of OAuth server in the + cluster + type: object diff --git a/config/v1/0000_10_config-operator_01_project.crd.yaml b/config/v1/0000_10_config-operator_01_project.crd.yaml new file mode 100644 index 00000000000..c1feca7b4cb --- /dev/null +++ b/config/v1/0000_10_config-operator_01_project.crd.yaml @@ -0,0 +1,63 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: projects.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + versions: + - name: v1 + served: true + storage: true + names: + kind: Project + listKind: ProjectList + plural: projects + singular: project + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Project holds cluster-wide information about Project. The canonical + name is `cluster` + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + projectRequestMessage: + description: projectRequestMessage is the string presented to a user + if they are unable to request a project via the projectrequest api + endpoint + type: string + projectRequestTemplate: + description: projectRequestTemplate is the template to use for creating + projects in response to projectrequest. This must point to a template + in 'openshift-config' namespace. It is optional. If it is not specified, + a default template is used. + type: object + properties: + name: + description: name is the metadata.name of the referenced project + request template + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object diff --git a/config/v1/0000_10_config-operator_01_scheduler.crd.yaml b/config/v1/0000_10_config-operator_01_scheduler.crd.yaml new file mode 100644 index 00000000000..43c9d8b2bb2 --- /dev/null +++ b/config/v1/0000_10_config-operator_01_scheduler.crd.yaml @@ -0,0 +1,88 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: schedulers.config.openshift.io +spec: + group: config.openshift.io + scope: Cluster + names: + kind: Scheduler + singular: scheduler + plural: schedulers + listKind: SchedulerList + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: Scheduler holds cluster-wide config information to run the Kubernetes + Scheduler and influence its placement decisions. The canonical name for this + config is `cluster`. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + defaultNodeSelector: + description: 'defaultNodeSelector helps set the cluster-wide default + node selector to restrict pod placement to specific nodes. This is + applied to the pods created in all namespaces without a specified + nodeSelector value. For example, defaultNodeSelector: "type=user-node,region=east" + would set nodeSelector field in pod spec to "type=user-node,region=east" + to all pods created in all namespaces. Namespaces having project-wide + node selectors won''t be impacted even if this field is set. This + adds an annotation section to the namespace. For example, if a new + namespace is created with node-selector=''type=user-node,region=east'', + the annotation openshift.io/node-selector: type=user-node,region=east + gets added to the project. When the openshift.io/node-selector annotation + is set on the project the value is used in preference to the value + we are setting for defaultNodeSelector field. For instance, openshift.io/node-selector: + "type=user-node,region=west" means that the default of "type=user-node,region=east" + set in defaultNodeSelector would not be applied.' + type: string + mastersSchedulable: + description: 'MastersSchedulable allows masters nodes to be schedulable. + When this flag is turned on, all the master nodes in the cluster will + be made schedulable, so that workload pods can run on them. The default + value for this field is false, meaning none of the master nodes are + schedulable. Important Note: Once the workload pods start running + on the master nodes, extreme care must be taken to ensure that cluster-critical + control plane components are not impacted. Please turn on this field + after doing due diligence.' + type: boolean + policy: + description: policy is a reference to a ConfigMap containing scheduler + policy which has user specified predicates and priorities. If this + ConfigMap is not available scheduler will default to use DefaultAlgorithmProvider. + The namespace for this configmap is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object diff --git a/config/v1/types_operatorhub.go b/config/v1/types_operatorhub.go index 31291dec2f6..1d998bf37d9 100644 --- a/config/v1/types_operatorhub.go +++ b/config/v1/types_operatorhub.go @@ -70,7 +70,7 @@ type HubSource struct { // HubSourceStatus is used to reflect the current state of applying the // configuration to a default source type HubSourceStatus struct { - HubSource `json:"",omitempty` + HubSource `json:",omitempty"` // status indicates success or failure in applying the configuration Status string `json:"status,omitempty"` // message provides more information regarding failures diff --git a/console/v1/0000_10_config-operator_01_consoleclidownload.crd.yaml b/console/v1/0000_10_config-operator_01_consoleclidownload.crd.yaml new file mode 100644 index 00000000000..7f1cf4591ac --- /dev/null +++ b/console/v1/0000_10_config-operator_01_consoleclidownload.crd.yaml @@ -0,0 +1,87 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: consoleclidownloads.console.openshift.io + annotations: + displayName: ConsoleCLIDownload + description: Extension for configuring openshift web console command line interface + (CLI) downloads. +spec: + scope: Cluster + group: console.openshift.io + versions: + - name: v1 + served: true + storage: true + names: + plural: consoleclidownloads + singular: consoleclidownload + kind: ConsoleCLIDownload + listKind: ConsoleCLIDownloadList + additionalPrinterColumns: + - name: Display name + type: string + JSONPath: .spec.displayName + - name: Age + type: string + JSONPath: .metadata.creationTimestamp + - name: Description + type: string + JSONPath: .spec.description + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: ConsoleCLIDownload is an extension for configuring openshift web + console command line interface (CLI) downloads. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: ConsoleCLIDownloadSpec is the desired cli download configuration. + type: object + required: + - description + - displayName + - links + properties: + description: + description: description is the description of the CLI download (can + include markdown). + type: string + displayName: + description: displayName is the display name of the CLI download. + type: string + links: + description: links is a list of objects that provide CLI download link + details. + type: array + items: + description: Represents a standard link that could be generated in + HTML + type: object + required: + - href + - text + properties: + href: + description: href is the absolute secure URL for the link (must + use https) + type: string + text: + description: text is the display text for the link + type: string diff --git a/console/v1/0000_10_config-operator_01_consoleexternalloglink.crd.yaml b/console/v1/0000_10_config-operator_01_consoleexternalloglink.crd.yaml new file mode 100644 index 00000000000..3789d5875a4 --- /dev/null +++ b/console/v1/0000_10_config-operator_01_consoleexternalloglink.crd.yaml @@ -0,0 +1,85 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: consoleexternalloglinks.console.openshift.io + annotations: + displayName: ConsoleExternalLogLinks + description: ConsoleExternalLogLink is an extension for customizing OpenShift + web console log links. +spec: + scope: Cluster + group: console.openshift.io + versions: + - name: v1 + served: true + storage: true + names: + plural: consoleexternalloglinks + singular: consoleexternalloglink + kind: ConsoleExternalLogLink + listKind: ConsoleExternalLogLinkList + additionalPrinterColumns: + - name: Text + type: string + JSONPath: .spec.text + - name: HrefTemplate + type: string + JSONPath: .spec.hrefTemplate + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: ConsoleExternalLogLink is an extension for customizing OpenShift + web console log links. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: ConsoleExternalLogLinkSpec is the desired log link configuration. + The log link will appear on the logs tab of the pod details page. + type: object + required: + - hrefTemplate + - text + properties: + hrefTemplate: + description: "hrefTemplate is an absolute secure URL (must use https) + for the log link including variables to be replaced. Variables are + specified in the URL with the format ${variableName}, for instance, + ${containerName} and will be replaced with the corresponding values + from the resource. Resource is a pod. Supported variables are: - ${resourceName} + - name of the resource which containes the logs - ${resourceUID} - + UID of the resource which contains the logs - e.g. `11111111-2222-3333-4444-555555555555` + - ${containerName} - name of the resource's container that contains + the logs - ${resourceNamespace} - namespace of the resource that contains + the logs - ${podLabels} - JSON representation of labels matching the + pod with the logs - e.g. `{\"key1\":\"value1\",\"key2\":\"value2\"}` + \n e.g., https://example.com/logs?resourceName=${resourceName}&containerName=${containerName}&resourceNamespace=${resourceNamespace}&podLabels=${podLabels}" + type: string + namespaceFilter: + description: namespaceFilter is a regular expression used to restrict + a log link to a matching set of namespaces (e.g., `^openshift-`). + The string is converted into a regular expression using the JavaScript + RegExp constructor. If not specified, links will be displayed for + all the namespaces. + type: string + text: + description: text is the display text for the link + type: string diff --git a/console/v1/0000_10_config-operator_01_consolelink.crd.yaml b/console/v1/0000_10_config-operator_01_consolelink.crd.yaml new file mode 100644 index 00000000000..ddb0f78218e --- /dev/null +++ b/console/v1/0000_10_config-operator_01_consolelink.crd.yaml @@ -0,0 +1,107 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: consolelinks.console.openshift.io + annotations: + displayName: ConsoleLinks + description: Extension for customizing OpenShift web console links +spec: + scope: Cluster + group: console.openshift.io + versions: + - name: v1 + served: true + storage: true + names: + plural: consolelinks + singular: consolelink + kind: ConsoleLink + listKind: ConsoleLinkList + additionalPrinterColumns: + - name: Text + type: string + JSONPath: .spec.text + - name: URL + type: string + JSONPath: .spec.href + - name: Menu + type: string + JSONPath: .spec.menu + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: ConsoleLink is an extension for customizing OpenShift web console + links. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: ConsoleLinkSpec is the desired console link configuration. + type: object + required: + - href + - location + - text + properties: + applicationMenu: + description: applicationMenu holds information about section and icon + used for the link in the application menu, and it is applicable only + when location is set to ApplicationMenu. + type: object + required: + - section + properties: + imageURL: + description: imageUrl is the URL for the icon used in front of the + link in the application menu. The URL must be an HTTPS URL or + a Data URI. The image should be square and will be shown at 24x24 + pixels. + type: string + section: + description: section is the section of the application menu in which + the link should appear. + type: string + href: + description: href is the absolute secure URL for the link (must use + https) + type: string + location: + description: location determines which location in the console the link + will be appended to. + type: string + namespaceDashboard: + description: namespaceDashboard holds information about namespaces in + which the dashboard link should appear, and it is applicable only + when location is set to NamespaceDashboard. If not specified, the + link will appear in all namespaces. + type: object + required: + - namespaces + properties: + namespaces: + description: namespaces is an array of namespace names in which + the dashboard link should appear. + type: array + items: + type: string + text: + description: text is the display text for the link + type: string diff --git a/console/v1/0000_10_config-operator_01_consolenotification.crd.yaml b/console/v1/0000_10_config-operator_01_consolenotification.crd.yaml new file mode 100644 index 00000000000..7db12df76c1 --- /dev/null +++ b/console/v1/0000_10_config-operator_01_consolenotification.crd.yaml @@ -0,0 +1,87 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: consolenotifications.console.openshift.io + annotations: + displayName: ConsoleNotification + description: Extension for configuring openshift web console notifications. +spec: + scope: Cluster + group: console.openshift.io + versions: + - name: v1 + served: true + storage: true + names: + plural: consolenotifications + singular: consolenotification + kind: ConsoleNotification + listKind: ConsoleNotificationList + additionalPrinterColumns: + - name: Text + type: string + JSONPath: .spec.text + - name: Location + type: string + JSONPath: .spec.location + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: ConsoleNotification is the extension for configuring openshift + web console notifications. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: ConsoleNotificationSpec is the desired console notification + configuration. + type: object + required: + - text + properties: + backgroundColor: + description: backgroundColor is the color of the background for the + notification as CSS data type color. + type: string + color: + description: color is the color of the text for the notification as + CSS data type color. + type: string + link: + description: link is an object that holds notification link details. + type: object + required: + - href + - text + properties: + href: + description: href is the absolute secure URL for the link (must + use https) + type: string + text: + description: text is the display text for the link + type: string + location: + description: location is the location of the notification in the console. + type: string + text: + description: text is the visible text of the notification. + type: string diff --git a/hack/alpha-build-machinery/Makefile b/hack/alpha-build-machinery/Makefile new file mode 100644 index 00000000000..b44d020e4b6 --- /dev/null +++ b/hack/alpha-build-machinery/Makefile @@ -0,0 +1,61 @@ +SHELL :=/bin/bash +all: verify +.PHONY: all + +makefiles :=$(wildcard ./make/*.example.mk) +examples :=$(wildcard ./make/examples/*/Makefile.test) + +# $1 - makefile name relative to ./make/ folder +# $2 - target +# $3 - output folder +# We need to change dir to the final makefile directory or relative paths won't match. +# Dynamic values are replaced with "" so we can do diff against checkout versions. +# Avoid comparing local paths by stripping the prefix. +# Delete lines referencing temporary files and directories +# Unify make error output between versions +# Ignore old cp errors on centos7 +# Ignore different make output with `-k` option +define update-makefile-log +mkdir -p "$(3)" +set -o pipefail; $(MAKE) -j 1 -C "$(dir $(1))" -f "$(notdir $(1))" --no-print-directory --warn-undefined-variables $(2) 2>&1 | \ + sed 's/\.\(buildDate\|versionFromGit\|commitFromGit\|gitTreeState\)="[^"]*" /.\1="" /g' | \ + sed -E 's~/.*/(github.com/openshift/library-go/alpha-build-machinery/.*)~/\1~g' | \ + sed '/\/tmp\/tmp./d' | \ + sed '/git checkout -b/d' | \ + sed -E 's~^[<> ]*((\+\+\+|\-\-\-) \./(testing/)?manifests/.*.yaml).*~\1~' | \ + sed -E 's/^(make\[2\]: \*\*\* \[).*: (.*\] Error 1)/\1\2/' | \ + grep -v 'are the same file' | \ + grep -E -v -e '^make\[2\]: Target `.*'"'"' not remade because of errors\.$$' | \ + tee "$(3)"/"$(notdir $(1))"$(subst ..,.,.$(2).log) + +endef + + +# $1 - makefile name relative to ./make/ folder +# $2 - target +# $3 - output folder +define check-makefile-log +$(call update-makefile-log,$(1),$(2),$(3)) +diff -N "$(1)$(subst ..,.,.$(2).log)" "$(3)/$(notdir $(1))$(subst ..,.,.$(2).log)" + +endef + +update-makefiles: + $(foreach f,$(makefiles),$(call check-makefile-log,$(f),help,$(dir $(f)))) + $(foreach f,$(examples),$(call check-makefile-log,$(f),,$(dir $(f)))) +.PHONY: update-makefiles + +verify-makefiles: tmp_dir:=$(shell mktemp -d) +verify-makefiles: + $(foreach f,$(makefiles),$(call check-makefile-log,$(f),help,$(tmp_dir)/$(dir $(f)))) + $(foreach f,$(examples),$(call check-makefile-log,$(f),,$(tmp_dir)/$(dir $(f)))) +.PHONY: verify-makefiles + +verify: verify-makefiles +.PHONY: verify + +update: update-makefiles +.PHONY: update + + +include ./make/targets/help.mk diff --git a/hack/alpha-build-machinery/OWNERS b/hack/alpha-build-machinery/OWNERS new file mode 100644 index 00000000000..ff2b6a24c8c --- /dev/null +++ b/hack/alpha-build-machinery/OWNERS @@ -0,0 +1,4 @@ +reviewers: + - tnozicka +approvers: + - tnozicka diff --git a/hack/alpha-build-machinery/README.md b/hack/alpha-build-machinery/README.md new file mode 100644 index 00000000000..294a5834a82 --- /dev/null +++ b/hack/alpha-build-machinery/README.md @@ -0,0 +1,37 @@ +# library-go/alpha-build-machinery +These are the building blocks for this and many of our other repositories to share code for Makefiles, helper scripts and other build related machinery. + +## Makefiles +`make/` directory contains several predefined makefiles `(*.mk)` to choose from and include one of them as a base in your final `Makefile`. These are the predefined flows providing you with e.g. `build`, `test` or `verify` targets. To start with it is recommended you base Makefile on the corresponding `*.example.mk` using copy&paste. + +As some advanced targets are generated, every Makefile contains `make help` target listing all the available ones. All of the "example" makefiles have a corresponding `.help` file listing all the targets available there. + +Also for advanced use and if none of the predefined flows doesn't fit your needs, you can compose the flow from modules in similar way to how the predefined flows do, + +### Golang +Standard makefile for building pure Golang projects. + - [make/golang.mk](make/golang.mk) + - [make/golang.example.mk](make/golang.example.mk) + - [make/golang.example.mk.help](make/golang.example.mk.help) + +### Default +Standard makefile for OpenShift Golang projects. + +Extends [#Golang](). + + - [make/default.mk](make/default.mk) + - [make/default.example.mk](make/default.example.mk) + - [make/default.example.mk.help](make/default.example.mk.help) + +### Operator +Standard makefile for OpenShift Golang projects. + +Extends [#Default](). + + - [make/operator.mk](make/operator.mk) + - [make/operator.example.mk](make/operator.example.mk) + - [make/operator.example.mk.help](make/operator.example.mk.help) + + +## Scripts +`scripts` contain more complicated logic that is used in some make targets. diff --git a/hack/alpha-build-machinery/doc.go b/hack/alpha-build-machinery/doc.go new file mode 100644 index 00000000000..a093b4bd173 --- /dev/null +++ b/hack/alpha-build-machinery/doc.go @@ -0,0 +1,14 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery + +// this is a dependency magnet to make it easier to pull in the build-machinery. We want a single import to pull all of it in. +import ( + _ "github.com/openshift/library-go/alpha-build-machinery/make" + _ "github.com/openshift/library-go/alpha-build-machinery/make/lib" + _ "github.com/openshift/library-go/alpha-build-machinery/make/targets" + _ "github.com/openshift/library-go/alpha-build-machinery/make/targets/golang" + _ "github.com/openshift/library-go/alpha-build-machinery/make/targets/openshift" + _ "github.com/openshift/library-go/alpha-build-machinery/make/targets/openshift/operator" + _ "github.com/openshift/library-go/alpha-build-machinery/scripts" +) diff --git a/hack/alpha-build-machinery/make/default.example.mk b/hack/alpha-build-machinery/make/default.example.mk new file mode 100644 index 00000000000..fffc5b3a3c9 --- /dev/null +++ b/hack/alpha-build-machinery/make/default.example.mk @@ -0,0 +1,40 @@ +all: build +.PHONY: all + +# You can customize go tools depending on the directory layout. +# example: +GO_BUILD_PACKAGES :=./pkg/... +# You can list all the golang related variables by: +# $ make -n --print-data-base | grep ^GO + +# Include the library makefile +include ./default.mk +# All the available targets are listed in .help +# or you can list it live by using `make help` + +# Codegen module needs setting these required variables +CODEGEN_OUTPUT_PACKAGE :=github.com/openshift/cluster-openshift-apiserver-operator/pkg/generated +CODEGEN_API_PACKAGE :=github.com/openshift/cluster-openshift-apiserver-operator/pkg/apis +CODEGEN_GROUPS_VERSION :=openshiftapiserver:v1alpha1 +# You can list all codegen related variables by: +# $ make -n --print-data-base | grep ^CODEGEN + +# This will call a macro called "build-image" which will generate image specific targets based on the parameters: +# $1 - target name +# $2 - image ref +# $3 - Dockerfile path +# $4 - context +# It will generate target "image-$(1)" for builing the image an binding it as a prerequisite to target "images". +$(call build-image,ocp-cli,registry.svc.ci.openshift.org/ocp/4.2:cli,./images/cli/Dockerfile.rhel,.) + +# This will call a macro called "add-bindata" which will generate bindata specific targets based on the parameters: +# $0 - macro name +# $1 - target suffix +# $2 - input dirs +# $3 - prefix +# $4 - pkg +# $5 - output +# It will generate targets {update,verify}-bindata-$(1) logically grouping them in unsuffixed versions of these targets +# and also hooked into {update,verify}-generated for broader integration. +$(call add-bindata,v3.11.0,./bindata/v3.11.0/...,bindata,v311_00_assets,pkg/operator/v311_00_assets/bindata.go) + diff --git a/hack/alpha-build-machinery/make/default.example.mk.help.log b/hack/alpha-build-machinery/make/default.example.mk.help.log new file mode 100644 index 00000000000..92aa6acdbb8 --- /dev/null +++ b/hack/alpha-build-machinery/make/default.example.mk.help.log @@ -0,0 +1,25 @@ +The following make targets are available: +all +build +clean +clean-binaries +help +image-ocp-cli +images +test +test-unit +update +update-bindata +update-codegen +update-deps +update-deps-overrides +update-generated +update-gofmt +verify +verify-bindata +verify-codegen +verify-deps +verify-generated +verify-gofmt +verify-golint +verify-govet diff --git a/hack/alpha-build-machinery/make/default.mk b/hack/alpha-build-machinery/make/default.mk new file mode 100644 index 00000000000..564fc122970 --- /dev/null +++ b/hack/alpha-build-machinery/make/default.mk @@ -0,0 +1,23 @@ +self_dir := $(dir $(lastword $(MAKEFILE_LIST))) + +# We extend the default verify/update for Golang + +verify: verify-codegen +verify: verify-bindata +.PHONY: verify + +update: update-codegen +update: update-bindata +.PHONY: update + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + targets/openshift/deps.mk \ + targets/openshift/images.mk \ + targets/openshift/bindata.mk \ + targets/openshift/codegen.mk \ + golang.mk \ +) diff --git a/hack/alpha-build-machinery/make/doc.go b/hack/alpha-build-machinery/make/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/golang.example.mk b/hack/alpha-build-machinery/make/golang.example.mk new file mode 100644 index 00000000000..aba2c489032 --- /dev/null +++ b/hack/alpha-build-machinery/make/golang.example.mk @@ -0,0 +1,14 @@ +all: build +.PHONY: all + + +# You can customize go tools depending on the directory layout. +# example: +GO_BUILD_PACKAGES :=./pkg/... +# You can list all the golang related variables by: +# $ make -n --print-data-base | grep ^GO + +# Include the library makefile +include ./golang.mk +# All the available targets are listed in .help +# or you can list it live by using `make help` diff --git a/hack/alpha-build-machinery/make/golang.example.mk.help.log b/hack/alpha-build-machinery/make/golang.example.mk.help.log new file mode 100644 index 00000000000..a5cc906ddf6 --- /dev/null +++ b/hack/alpha-build-machinery/make/golang.example.mk.help.log @@ -0,0 +1,14 @@ +The following make targets are available: +all +build +clean +clean-binaries +help +test +test-unit +update +update-gofmt +verify +verify-gofmt +verify-golint +verify-govet diff --git a/hack/alpha-build-machinery/make/golang.mk b/hack/alpha-build-machinery/make/golang.mk new file mode 100644 index 00000000000..15a0b49bcb0 --- /dev/null +++ b/hack/alpha-build-machinery/make/golang.mk @@ -0,0 +1,28 @@ +all: build +.PHONY: all + +self_dir := $(dir $(lastword $(MAKEFILE_LIST))) + + +verify: verify-gofmt +verify: verify-govet +.PHONY: verify + +update: update-gofmt +.PHONY: update + + +test: test-unit +.PHONY: test + +clean: clean-binaries +.PHONY: clean + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to use self_dir before it could be modified. +include $(addprefix $(self_dir), \ + targets/help.mk \ + targets/golang/*.mk \ +) diff --git a/hack/alpha-build-machinery/make/lib/doc.go b/hack/alpha-build-machinery/make/lib/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/lib/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/lib/golang.mk b/hack/alpha-build-machinery/make/lib/golang.mk new file mode 100644 index 00000000000..89d457ef0e9 --- /dev/null +++ b/hack/alpha-build-machinery/make/lib/golang.mk @@ -0,0 +1,39 @@ +GO ?=go +GOPATH ?=$(shell $(GO) env GOPATH) +GO_PACKAGE ?=$(shell $(GO) list -e -f '{{ .ImportPath }}' . || echo 'no_package_detected') + +GOOS ?=$(shell $(GO) env GOOS) +GOHOSTOS ?=$(shell $(GO) env GOHOSTOS) +GOARCH ?=$(shell $(GO) env GOARCH) +GOHOSTARCH ?=$(shell $(GO) env GOHOSTARCH) +GOEXE ?=$(shell $(GO) env GOEXE) + +GOFMT ?=gofmt +GOFMT_FLAGS ?=-s -l +GOLINT ?=golint + +GO_FILES ?=$(shell find . -name '*.go' -not -path '*/vendor/*' -not -path '*/_output/*' -print) +GO_PACKAGES ?=./... +GO_TEST_PACKAGES ?=$(GO_PACKAGES) + +GO_BUILD_PACKAGES ?=./cmd/... +GO_BUILD_PACKAGES_EXPANDED ?=$(shell $(GO) list $(GO_BUILD_PACKAGES)) +go_build_binaries =$(notdir $(GO_BUILD_PACKAGES_EXPANDED)) +GO_BUILD_FLAGS ?= +GO_BUILD_BINDIR ?= + +GO_TEST_FLAGS ?=-race + +GO_LD_EXTRAFLAGS ?= + +SOURCE_GIT_TAG ?=$(shell git describe --long --tags --abbrev=7 --match 'v[0-9]*' || echo 'v0.0.0-unknown') +SOURCE_GIT_COMMIT ?=$(shell git rev-parse --short "HEAD^{commit}" 2>/dev/null) +SOURCE_GIT_TREE_STATE ?=$(shell ( ( [ ! -d ".git/" ] || git diff --quiet ) && echo 'clean' ) || echo 'dirty') + +define version-ldflags +-X $(1).versionFromGit="$(SOURCE_GIT_TAG)" \ +-X $(1).commitFromGit="$(SOURCE_GIT_COMMIT)" \ +-X $(1).gitTreeState="$(SOURCE_GIT_TREE_STATE)" \ +-X $(1).buildDate="$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')" +endef +GO_LD_FLAGS ?=-ldflags "-s -w $(call version-ldflags,$(GO_PACKAGE)/pkg/version) $(GO_LD_EXTRAFLAGS)" diff --git a/hack/alpha-build-machinery/make/lib/tmp.mk b/hack/alpha-build-machinery/make/lib/tmp.mk new file mode 100644 index 00000000000..a0fb655359a --- /dev/null +++ b/hack/alpha-build-machinery/make/lib/tmp.mk @@ -0,0 +1,2 @@ +PERMANENT_TMP :=_output +PERMANENT_TMP_GOPATH :=$(PERMANENT_TMP)/tools diff --git a/hack/alpha-build-machinery/make/operator.example.mk b/hack/alpha-build-machinery/make/operator.example.mk new file mode 100644 index 00000000000..7e6ff98d56a --- /dev/null +++ b/hack/alpha-build-machinery/make/operator.example.mk @@ -0,0 +1,42 @@ +all: build +.PHONY: all + + +# You can customize go tools depending on the directory layout. +# example: +GO_BUILD_PACKAGES :=./pkg/... +# You can list all the golang related variables by: +# $ make -n --print-data-base | grep ^GO + +# Include the library makefile +include ./operator.mk +# All the available targets are listed in .help +# or you can list it live by using `make help` + + +# Codegen module needs setting these required variables +CODEGEN_OUTPUT_PACKAGE :=github.com/openshift/cluster-openshift-apiserver-operator/pkg/generated +CODEGEN_API_PACKAGE :=github.com/openshift/cluster-openshift-apiserver-operator/pkg/apis +CODEGEN_GROUPS_VERSION :=openshiftapiserver:v1alpha1 +# You can list all codegen related variables by: +# $ make -n --print-data-base | grep ^CODEGEN + +# This will call a macro called "build-image" which will generate image specific targets based on the parameters: +# $1 - target name +# $2 - image ref +# $3 - Dockerfile path +# $4 - context +# It will generate target "image-$(1)" for builing the image an binding it as a prerequisite to target "images". +$(call build-image,ocp-openshift-apiserver-operator,registry.svc.ci.openshift.org/ocp/4.2:openshift-apiserver-operator,./Dockerfile.rhel,.) + +# This will call a macro called "add-bindata" which will generate bindata specific targets based on the parameters: +# $0 - macro name +# $1 - target suffix +# $2 - input dirs +# $3 - prefix +# $4 - pkg +# $5 - output +# It will generate targets {update,verify}-bindata-$(1) logically grouping them in unsuffixed versions of these targets +# and also hooked into {update,verify}-generated for broader integration. +$(call add-bindata,v3.11.0,./bindata/v3.11.0/...,bindata,v311_00_assets,pkg/operator/v311_00_assets/bindata.go) + diff --git a/hack/alpha-build-machinery/make/operator.example.mk.help.log b/hack/alpha-build-machinery/make/operator.example.mk.help.log new file mode 100644 index 00000000000..a1489d212ba --- /dev/null +++ b/hack/alpha-build-machinery/make/operator.example.mk.help.log @@ -0,0 +1,25 @@ +The following make targets are available: +all +build +clean +clean-binaries +help +image-ocp-openshift-apiserver-operator +images +test +test-unit +update +update-bindata +update-codegen +update-deps +update-deps-overrides +update-generated +update-gofmt +verify +verify-bindata +verify-codegen +verify-deps +verify-generated +verify-gofmt +verify-golint +verify-govet diff --git a/hack/alpha-build-machinery/make/operator.mk b/hack/alpha-build-machinery/make/operator.mk new file mode 100644 index 00000000000..d763df46176 --- /dev/null +++ b/hack/alpha-build-machinery/make/operator.mk @@ -0,0 +1,11 @@ +self_dir := $(dir $(lastword $(MAKEFILE_LIST))) + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to use self_dir before it could be modified. +include $(addprefix $(self_dir), \ + default.mk \ + targets/openshift/operator/*.mk \ +) + diff --git a/hack/alpha-build-machinery/make/targets/doc.go b/hack/alpha-build-machinery/make/targets/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/targets/golang/build.mk b/hack/alpha-build-machinery/make/targets/golang/build.mk new file mode 100644 index 00000000000..9a71cb793ac --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/golang/build.mk @@ -0,0 +1,28 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +define build-package + $(if $(GO_BUILD_BINDIR),mkdir -p '$(GO_BUILD_BINDIR)',) + $(strip $(GO) build $(GO_BUILD_FLAGS) $(GO_LD_FLAGS) \ + $(if $(GO_BUILD_BINDIR),-o '$(GO_BUILD_BINDIR)/$(notdir $(1))$(GOEXE)',) \ + $(1)) + +endef + +# We need to build each package separately so go build creates appropriate binaries +build: + $(foreach package,$(GO_BUILD_PACKAGES_EXPANDED),$(call build-package,$(package))) +.PHONY: build + +clean-binaries: + $(RM) $(go_build_binaries) +.PHONY: clean-binaries + +clean: clean-binaries +.PHONY: clean + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/golang/doc.go b/hack/alpha-build-machinery/make/targets/golang/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/golang/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/targets/golang/test-unit.mk b/hack/alpha-build-machinery/make/targets/golang/test-unit.mk new file mode 100644 index 00000000000..f96c8ccd732 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/golang/test-unit.mk @@ -0,0 +1,19 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +test-unit: +ifndef JUNITFILE + $(GO) test $(GO_TEST_FLAGS) $(GO_TEST_PACKAGES) +else +ifeq (, $(shell which gotest2junit 2>/dev/null)) + $(error gotest2junit not found! Get it by `go get -u github.com/openshift/release/tools/gotest2junit`.) +endif + set -o pipefail; $(GO) test $(GO_TEST_FLAGS) -json $(GO_TEST_PACKAGES) | gotest2junit > $(JUNITFILE) +endif +.PHONY: test-unit + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/golang/verify-update.mk b/hack/alpha-build-machinery/make/targets/golang/verify-update.mk new file mode 100644 index 00000000000..2034cd10e11 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/golang/verify-update.mk @@ -0,0 +1,34 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +go_files_count :=$(words $(GO_FILES)) + +verify-gofmt: + $(info Running `$(GOFMT) $(GOFMT_FLAGS)` on $(go_files_count) file(s).) + @TMP=$$( mktemp ); \ + $(GOFMT) $(GOFMT_FLAGS) $(GO_FILES) | tee $${TMP}; \ + if [ -s $${TMP} ]; then \ + echo "$@ failed - please run \`make update-gofmt\`"; \ + exit 1; \ + fi; +.PHONY: verify-gofmt + +update-gofmt: + $(info Running `$(GOFMT) $(GOFMT_FLAGS) -w` on $(go_files_count) file(s).) + @$(GOFMT) $(GOFMT_FLAGS) -w $(GO_FILES) +.PHONY: update-gofmt + + +verify-govet: + $(GO) vet $(GO_PACKAGES) +.PHONY: verify-govet + +verify-golint: + $(GOLINT) $(GO_PACKAGES) +.PHONY: verify-govet + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/help.mk b/hack/alpha-build-machinery/make/targets/help.mk new file mode 100644 index 00000000000..55bfbac094e --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/help.mk @@ -0,0 +1,6 @@ +help: + $(info The following make targets are available:) + @$(MAKE) -f $(firstword $(MAKEFILE_LIST)) --print-data-base --question no-such-target 2>&1 | grep -v 'no-such-target' | \ + grep -v -e '^no-such-target' -e '^makefile' | \ + awk '/^[^.%][-A-Za-z0-9_]*:/ { print substr($$1, 1, length($$1)-1) }' | sort -u +.PHONY: help diff --git a/hack/alpha-build-machinery/make/targets/openshift/bindata.mk b/hack/alpha-build-machinery/make/targets/openshift/bindata.mk new file mode 100644 index 00000000000..0e78cb92742 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/bindata.mk @@ -0,0 +1,65 @@ +TMP_GOPATH :=$(shell mktemp -d) + + +.ensure-go-bindata: + ln -s $(abspath ./vendor) "$(TMP_GOPATH)/src" + export GOPATH=$(TMP_GOPATH) && export GOBIN=$(TMP_GOPATH)/bin && go install "./vendor/github.com/jteeuwen/go-bindata/..." + +# $1 - input dirs +# $2 - prefix +# $3 - pkg +# $4 - output +# $5 - output prefix +define run-bindata + $(TMP_GOPATH)/bin/go-bindata -nocompress -nometadata \ + -prefix "$(2)" \ + -pkg "$(3)" \ + -o "$(5)$(4)" \ + -ignore "OWNERS" \ + $(1) && \ + gofmt -s -w "$(5)$(4)" +endef + +# $1 - name +# $2 - input dirs +# $3 - prefix +# $4 - pkg +# $5 - output +define add-bindata-internal +update-bindata-$(1): .ensure-go-bindata + $(call run-bindata,$(2),$(3),$(4),$(5),) +.PHONY: update-bindata-$(1) + +update-bindata: update-bindata-$(1) +.PHONY: update-bindata + + +verify-bindata-$(1): .ensure-go-bindata +verify-bindata-$(1): TMP_DIR := $$(shell mktemp -d) +verify-bindata-$(1): + $(call run-bindata,$(2),$(3),$(4),$(5),$$(TMP_DIR)/) && \ + diff -Naup {.,$$(TMP_DIR)}/$(5) +.PHONY: verify-bindata-$(1) + +verify-bindata: verify-bindata-$(1) +.PHONY: verify-bindata +endef + + +update-generated: update-bindata +.PHONY: update-bindata + +update: update-generated +.PHONY: update + + +verify-generated: verify-bindata +.PHONY: verify-bindata + +verify: verify-generated +.PHONY: verify + + +define add-bindata +$(eval $(call add-bindata-internal,$(1),$(2),$(3),$(4),$(5))) +endef diff --git a/hack/alpha-build-machinery/make/targets/openshift/codegen.mk b/hack/alpha-build-machinery/make/targets/openshift/codegen.mk new file mode 100644 index 00000000000..247de9417ca --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/codegen.mk @@ -0,0 +1,41 @@ +CODEGEN_PKG ?=./vendor/k8s.io/code-generator/ +CODEGEN_GENERATORS ?=all +CODEGEN_OUTPUT_BASE ?=../../.. +CODEGEN_GO_HEADER_FILE ?=/dev/null + +CODEGEN_API_PACKAGE ?=$(error CODEGEN_API_PACKAGE is required) +CODEGEN_GROUPS_VERSION ?=$(error CODEGEN_GROUPS_VERSION is required) +CODEGEN_OUTPUT_PACKAGE ?=$(error CODEGEN_OUTPUT_PACKAGE is required) + +define run-codegen +$(CODEGEN_PKG)/generate-groups.sh \ + "$(CODEGEN_GENERATORS)" \ + "$(CODEGEN_OUTPUT_PACKAGE)" \ + "$(CODEGEN_API_PACKAGE)" \ + "$(CODEGEN_GROUPS_VERSION)" \ + --output-base $(CODEGEN_OUTPUT_BASE) \ + --go-header-file $(CODEGEN_GO_HEADER_FILE) \ + $1 +endef + + +verify-codegen: + $(call run-codegen,--verify-only) +.PHONY: verify-codegen + +verify-generated: verify-codegen +.PHONY: verify-generated + +verify: verify-generated +.PHONY: verify + + +update-codegen: + $(call run-codegen) +.PHONY: update-codegen + +update-generated: update-codegen +.PHONY: update-generated + +update: update-generated +.PHONY: update diff --git a/hack/alpha-build-machinery/make/targets/openshift/controller-gen.mk b/hack/alpha-build-machinery/make/targets/openshift/controller-gen.mk new file mode 100644 index 00000000000..fd0ff401e80 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/controller-gen.mk @@ -0,0 +1,38 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +CONTROLLER_GEN_VERSION ?=v0.2.1 +CONTROLLER_GEN_TEMP ?=$(PERMANENT_TMP_GOPATH)/src/sigs.k8s.io/controller-tools +controller_gen_gopath =$(shell realpath -m $(CONTROLLER_GEN_TEMP)/../..) +CONTROLLER_GEN ?=$(CONTROLLER_GEN_TEMP)/controller-gen + +ensure-controller-gen: +ifeq "" "$(wildcard $(CONTROLLER_GEN))" + $(info Installing controller-gen into "$(CONTROLLER_GEN)") + mkdir -p '$(CONTROLLER_GEN_TEMP)' + git clone -b '$(CONTROLLER_GEN_VERSION)' --single-branch --depth=1 https://github.com/kubernetes-sigs/controller-tools.git '$(CONTROLLER_GEN_TEMP)' + @echo '$(CONTROLLER_GEN_TEMP)/../..' + cd '$(CONTROLLER_GEN_TEMP)' && export GO111MODULE=on GOPATH='$(controller_gen_gopath)' && $(GO) mod vendor 2>/dev/null && $(GO) build -mod=vendor ./cmd/controller-gen +else + $(info Using existing controller-gen from "$(CONTROLLER_GEN)") +endif +.PHONY: ensure-controller-gen + +clean-controller-gen: + if [ -d '$(controller_gen_gopath)/pkg/mod' ]; then chmod +w -R '$(controller_gen_gopath)/pkg/mod'; fi + $(RM) -r '$(CONTROLLER_GEN_TEMP)' '$(controller_gen_gopath)/pkg/mod' + @mkdir -p '$(CONTROLLER_GEN_TEMP)' # to make sure we can do the next step and to avoid using '/*' wildcard on the line above which could go crazy on wrong substitution + if [ -d '$(CONTROLLER_GEN_TEMP)' ]; then rmdir --ignore-fail-on-non-empty -p '$(CONTROLLER_GEN_TEMP)'; fi + @mkdir -p '$(controller_gen_gopath)/pkg/mod' # to make sure we can do the next step and to avoid using '/*' wildcard on the line above which could go crazy on wrong substitution + if [ -d '$(controller_gen_gopath)/pkg/mod' ]; then rmdir --ignore-fail-on-non-empty -p '$(controller_gen_gopath)/pkg/mod'; fi +.PHONY: clean-controller-gen + +clean: clean-controller-gen + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ + ../../lib/tmp.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/openshift/crd-schema-gen.mk b/hack/alpha-build-machinery/make/targets/openshift/crd-schema-gen.mk new file mode 100644 index 00000000000..44963e96d13 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/crd-schema-gen.mk @@ -0,0 +1,80 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +# $1 - crd file +# $2 - patch file +define patch-crd + $(YQ) m -i -x '$(1)' '$(2)' + +endef + +empty := + +define diff-file + diff -Naup '$(1)' '$(2)' + +endef + +# $1 - apis +# $2 - manifests +# $3 - output +define run-crd-gen + '$(CONTROLLER_GEN)' \ + schemapatch:manifests="$(2)" \ + paths="$(subst $(empty) ,;,$(1))" \ + output:dir="$(3)" + $$(foreach p,$$(wildcard $(2)/*.crd.yaml-merge-patch),$$(call patch-crd,$$(subst $(2),$(3),$$(basename $$(p))).yaml,$$(p))) +endef + + +# $1 - target name +# $2 - apis +# $3 - manifests +# $4 - output +define add-crd-gen-internal + +update-codegen-crds-$(1): ensure-controller-gen ensure-yq + $(call run-crd-gen,$(2),$(3),$(4)) +.PHONY: update-codegen-crds-$(1) + +update-codegen-crds: update-codegen-crds-$(1) +.PHONY: update-codegen-crds + +verify-codegen-crds-$(1): VERIFY_CODEGEN_CRD_TMP_DIR:=$(shell mktemp -d) +verify-codegen-crds-$(1): ensure-controller-gen ensure-yq + $(call run-crd-gen,$(2),$(3),$$(VERIFY_CODEGEN_CRD_TMP_DIR)) + $$(foreach p,$$(wildcard $(3)/*.crd.yaml),$$(call diff-file,$$(p),$$(subst $(3),$$(VERIFY_CODEGEN_CRD_TMP_DIR),$$(p)))) +.PHONY: verify-codegen-crds-$(1) + +verify-codegen-crds: verify-codegen-crds-$(1) +.PHONY: verify-codegen-crds + +endef + + +update-generated: update-codegen-crds +.PHONY: update-generated + +update: update-generated +.PHONY: update + +verify-generated: verify-codegen-crds +.PHONY: verify-generated + +verify: verify-generated +.PHONY: verify + + +define add-crd-gen +$(eval $(call add-crd-gen-internal,$(1),$(2),$(3),$(4))) +endef + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ + ../../lib/tmp.mk \ + ../../targets/openshift/controller-gen.mk \ + ../../targets/openshift/yq.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/openshift/deps.mk b/hack/alpha-build-machinery/make/targets/openshift/deps.mk new file mode 100644 index 00000000000..fafa8f9dada --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/deps.mk @@ -0,0 +1,35 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) +scripts_dir :=$(self_dir)/../../../scripts + +# We need to force localle so different envs sort files the same way for recursive traversals +deps_diff :=LC_COLLATE=C diff --no-dereference -N + +update-deps: + $(scripts_dir)/$@.sh +.PHONY: update-deps + +# $1 - temporary directory to restore vendor dependencies from glide.lock +define restore-deps + ln -s $(abspath ./) "$(1)"/current + cp -R -H ./ "$(1)"/updated + $(RM) -r "$(1)"/updated/vendor + cd "$(1)"/updated && glide install --strip-vendor && find ./vendor -name '.hg_archival.txt' -delete + cd "$(1)" && $(deps_diff) -r {current,updated}/vendor/ > updated/glide.diff || true +endef + +verify-deps: tmp_dir:=$(shell mktemp -d) +verify-deps: + $(call restore-deps,$(tmp_dir)) + @echo $(deps_diff) '$(tmp_dir)'/{current,updated}/glide.diff + @ $(deps_diff) '$(tmp_dir)'/{current,updated}/glide.diff || ( \ + echo "ERROR: Content of 'vendor/' directory doesn't match 'glide.lock' and the overrides in 'glide.diff'!" && \ + echo "If this is an intentional change (a carry patch) please update the 'glide.diff' using 'make update-deps-overrides'." && \ + exit 1 \ + ) +.PHONY: verify-deps + +update-deps-overrides: tmp_dir:=$(shell mktemp -d) +update-deps-overrides: + $(call restore-deps,$(tmp_dir)) + cp "$(tmp_dir)"/{updated,current}/glide.diff +.PHONY: update-deps-overrides diff --git a/hack/alpha-build-machinery/make/targets/openshift/doc.go b/hack/alpha-build-machinery/make/targets/openshift/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/targets/openshift/images.mk b/hack/alpha-build-machinery/make/targets/openshift/images.mk new file mode 100644 index 00000000000..00e76ac2613 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/images.mk @@ -0,0 +1,29 @@ +# IMAGE_BUILD_EXTRA_FLAGS lets you add extra flags for imagebuilder +# e.g. to mount secrets and repo information into base image like: +# make images IMAGE_BUILD_EXTRA_FLAGS='-mount ~/projects/origin-repos/4.2/:/etc/yum.repos.d/' +IMAGE_BUILD_DEFAULT_FLAGS ?=--allow-pull +IMAGE_BUILD_EXTRA_FLAGS ?= + +# $1 - target name +# $2 - image ref +# $3 - Dockerfile path +# $4 - context +define build-image-internal +image-$(1): + $(strip \ + imagebuilder \ + $(IMAGE_BUILD_DEFAULT_FLAGS) \ + -t $(2) + -f $(3) \ + $(IMAGE_BUILD_EXTRA_FLAGS) \ + $(4) \ + ) +.PHONY: image-$(1) + +images: image-$(1) +.PHONY: images +endef + +define build-image +$(eval $(call build-image-internal,$(1),$(2),$(3),$(4))) +endef diff --git a/hack/alpha-build-machinery/make/targets/openshift/operator/doc.go b/hack/alpha-build-machinery/make/targets/openshift/operator/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/operator/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/make/targets/openshift/operator/release.mk b/hack/alpha-build-machinery/make/targets/openshift/operator/release.mk new file mode 100644 index 00000000000..07fc5605a84 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/operator/release.mk @@ -0,0 +1,7 @@ +# If we need unified behaviour specific to operators, this folder is the place. + +# It seems that our previous origin-release jq based replacement is suppose to be done +# with `oc adm release new` so it might drop this target. +#origin-release: +# $(error Not implemented.) +#.PHONY: origin-release diff --git a/hack/alpha-build-machinery/make/targets/openshift/rpm.mk b/hack/alpha-build-machinery/make/targets/openshift/rpm.mk new file mode 100644 index 00000000000..b235197c74b --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/rpm.mk @@ -0,0 +1,41 @@ +RPM_OUTPUT_DIR ?=_output +RPM_TOPDIR ?=$(abspath ./) +RPM_BUILDDIR ?=$(RPM_TOPDIR) +RPM_BUILDROOT ?=$(RPM_TOPDIR) +RPM_SOURCEDIR ?=$(RPM_TOPDIR) +RPM_SPECDIR ?=$(RPM_TOPDIR) +RPM_RPMDIR ?=$(RPM_TOPDIR)/$(RPM_OUTPUT_DIR)/rpms +RPM_SRCRPMDIR ?=$(RPM_TOPDIR)/$(RPM_OUTPUT_DIR)/srpms + +RPM_SPECFILES ?=$(wildcard *.spec) +RPM_BUILDFLAGS ?=-ba +RPM_EXTRAFLAGS ?= + +rpm-build: + $(strip \ + rpmbuild $(RPM_BUILDFLAGS) \ + --define "_topdir $(RPM_TOPDIR)" \ + --define "_builddir $(RPM_BUILDDIR)" \ + --define "_buildrootdir $(RPM_BUILDROOT)" \ + --define "_rpmdir $(RPM_RPMDIR)" \ + --define "_srcrpmdir $(RPM_SRCRPMDIR)" \ + --define "_specdir $(RPM_SPECDIR)" \ + --define "_sourcedir $(RPM_SOURCEDIR)" \ + --define "go_package $(GO_PACKAGE)" \ + $(RPM_EXTRAFLAGS) \ + $(RPM_SPECFILES) \ + ) + +clean-rpms: + $(RM) -r '$(RPM_RPMDIR)' '$(RPM_SRCRPMDIR)' + if [ -d '$(RPM_OUTPUT_DIR)' ]; then rmdir --ignore-fail-on-non-empty '$(RPM_OUTPUT_DIR)'; fi +.PHONY: clean-rpms + +clean: clean-rpms + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ +) diff --git a/hack/alpha-build-machinery/make/targets/openshift/yq.mk b/hack/alpha-build-machinery/make/targets/openshift/yq.mk new file mode 100644 index 00000000000..7dd556d4009 --- /dev/null +++ b/hack/alpha-build-machinery/make/targets/openshift/yq.mk @@ -0,0 +1,32 @@ +self_dir :=$(dir $(lastword $(MAKEFILE_LIST))) + +YQ ?=$(PERMANENT_TMP_GOPATH)/bin/yq +yq_dir :=$(dir $(YQ)) + + +ensure-yq: +ifeq "" "$(wildcard $(YQ))" + $(info Installing yq into '$(YQ)') + mkdir -p '$(yq_dir)' + curl -s -f -L https://github.com/mikefarah/yq/releases/download/2.4.0/yq_$(GOHOSTOS)_$(GOHOSTARCH) -o '$(YQ)' + chmod +x '$(YQ)'; +else + $(info Using existing yq from "$(YQ)") +endif +.PHONY: ensure-yq + +clean-yq: + $(RM) '$(YQ)' + if [ -d '$(yq_dir)' ]; then rmdir --ignore-fail-on-non-empty -p '$(yq_dir)'; fi +.PHONY: clean-yq + +clean: clean-yq + + +# We need to be careful to expand all the paths before any include is done +# or self_dir could be modified for the next include by the included file. +# Also doing this at the end of the file allows us to user self_dir before it could be modified. +include $(addprefix $(self_dir), \ + ../../lib/golang.mk \ + ../../lib/tmp.mk \ +) diff --git a/hack/alpha-build-machinery/scripts/doc.go b/hack/alpha-build-machinery/scripts/doc.go new file mode 100644 index 00000000000..66ba5512e1f --- /dev/null +++ b/hack/alpha-build-machinery/scripts/doc.go @@ -0,0 +1,3 @@ +// required for gomod to pull in packages. + +package alpha_build_machinery diff --git a/hack/alpha-build-machinery/scripts/update-deps.sh b/hack/alpha-build-machinery/scripts/update-deps.sh new file mode 100755 index 00000000000..46812e939c2 --- /dev/null +++ b/hack/alpha-build-machinery/scripts/update-deps.sh @@ -0,0 +1,27 @@ +#!/bin/bash -e + +readonly GLIDE_MINOR_VERSION="13" +readonly REQUIRED_GLIDE_VERSION="0.$GLIDE_MINOR_VERSION" + +function verify_glide_version() { + if ! command -v glide &> /dev/null; then + echo "[FATAL] Glide was not found in \$PATH. Please install version ${REQUIRED_GLIDE_VERSION} or newer." + exit 1 + fi + + local glide_version + glide_version=($(glide --version)) + if ! echo "${glide_version[2]#v}" | awk -F. -v min=$GLIDE_MINOR_VERSION '{ exit $2 < min }'; then + echo "Detected glide version: ${glide_version[*]}." + echo "Please install Glide version ${REQUIRED_GLIDE_VERSION} or newer." + exit 1 + fi +} + +verify_glide_version + +glide update --strip-vendor + +# glide doesn't handle mercurial properly and leaves internal files (equivalent of .git/) laying around +# Given those files differ by mercurial version it was cloned with, verify-deps would break +find ./vendor -name '.hg_archival.txt' -delete diff --git a/operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml b/operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml new file mode 100644 index 00000000000..d43fddef306 --- /dev/null +++ b/operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml @@ -0,0 +1,88 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: imagecontentsourcepolicies.operator.openshift.io +spec: + group: operator.openshift.io + scope: Cluster + names: + kind: ImageContentSourcePolicy + singular: imagecontentsourcepolicy + plural: imagecontentsourcepolicies + listKind: ImageContentSourcePolicyList + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + "validation": + "openAPIV3Schema": + description: ImageContentSourcePolicy holds cluster-wide information about how + to handle registry mirror rules. When multiple policies are defined, the outcome + of the behavior is defined on each field. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + repositoryDigestMirrors: + description: "repositoryDigestMirrors allows images referenced by image + digests in pods to be pulled from alternative mirrored repository + locations. The image pull specification provided to the pod will be + compared to the source locations described in RepositoryDigestMirrors + and the image may be pulled down from any of the mirrors in the list + instead of the specified repository allowing administrators to choose + a potentially faster mirror. Only image pull specifications that have + an image disgest will have this behavior applied to them - tags will + continue to be pulled from the specified repository in the pull spec. + \n Each “source” repository is treated independently; configurations + for different “source” repositories don’t interact. \n When multiple + policies are defined for the same “source” repository, the sets of + defined mirrors will be merged together, preserving the relative order + of the mirrors, if possible. For example, if policy A has mirrors + `a, b, c` and policy B has mirrors `c, d, e`, the mirrors will be + used in the order `a, b, c, d, e`. If the orders of mirror entries + conflict (e.g. `a, b` vs. `b, a`) the configuration is not rejected + but the resulting order is unspecified." + type: array + items: + description: 'RepositoryDigestMirrors holds cluster-wide information + about how to handle mirros in the registries config. Note: the mirrors + only work when pulling the images that are referenced by their digests.' + type: object + required: + - source + properties: + mirrors: + description: mirrors is one or more repositories that may also + contain the same images. The order of mirrors in this list is + treated as the user's desired priority, while source is by default + considered lower priority than all mirrors. Other cluster configuration, + including (but not limited to) other repositoryDigestMirrors + objects, may impact the exact order mirrors are contacted in, + or some mirrors may be contacted in parallel, so this should + be considered a preference rather than a guarantee of ordering. + type: array + items: + type: string + source: + description: source is the repository that users refer to, e.g. + in image pull specifications. + type: string diff --git a/quota/v1/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml b/quota/v1/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml new file mode 100644 index 00000000000..b2c56a14076 --- /dev/null +++ b/quota/v1/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml @@ -0,0 +1,220 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterresourcequotas.quota.openshift.io +spec: + group: quota.openshift.io + names: + kind: ClusterResourceQuota + listKind: ClusterResourceQuotaList + plural: clusterresourcequotas + singular: clusterresourcequota + scope: Cluster + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: ClusterResourceQuota mirrors ResourceQuota at a cluster scope. This + object is easily convertible to synthetic ResourceQuota object to allow quota + evaluation re-use. + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: Standard object's metadata. + type: object + spec: + description: Spec defines the desired quota + type: object + required: + - quota + - selector + properties: + quota: + description: Quota defines the desired quota + type: object + properties: + hard: + description: 'hard is the set of desired hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + additionalProperties: + type: string + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + type: object + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + type: array + items: + description: A scoped-resource selector requirement is a selector + that contains values, a scope name, and an operator that + relates the scope name and values. + type: object + required: + - operator + - scopeName + properties: + operator: + description: Represents a scope's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector applies + to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + type: array + items: + type: string + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all objects. + type: array + items: + description: A ResourceQuotaScope defines a filter that must match + each object tracked by a quota + type: string + selector: + description: Selector is the selector used to match projects. It should + only select active projects on the scale of dozens (though it can + select many more less active projects). These projects will contend + on object creation through this resource. + type: object + properties: + annotations: + description: AnnotationSelector is used to select projects by annotation. + type: object + additionalProperties: + type: string + nullable: true + labels: + description: LabelSelector is used to select projects by label. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + nullable: true + status: + description: Status defines the actual enforced quota and its current usage + type: object + required: + - total + properties: + namespaces: + description: Namespaces slices the usage by project. This division + allows for quick resolution of deletion reconciliation inside of a + single project without requiring a recalculation across all projects. This + can be used to pull the deltas for a given project. + type: array + items: + description: ResourceQuotaStatusByNamespace gives status for a particular + project + type: object + required: + - namespace + - status + properties: + namespace: + description: Namespace the project this status applies to + type: string + status: + description: Status indicates how many resources have been consumed + by this project + type: object + properties: + hard: + description: 'Hard is the set of enforced hard limits for + each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + additionalProperties: + type: string + used: + description: Used is the current observed total usage of the + resource in the namespace. + type: object + additionalProperties: + type: string + nullable: true + total: + description: Total defines the actual enforced quota and its current + usage across all projects + type: object + properties: + hard: + description: 'Hard is the set of enforced hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + additionalProperties: + type: string + used: + description: Used is the current observed total usage of the resource + in the namespace. + type: object + additionalProperties: + type: string diff --git a/security/v1/0000_03_security-openshift_01_scc.crd.yaml b/security/v1/0000_03_security-openshift_01_scc.crd.yaml new file mode 100644 index 00000000000..57a383945f8 --- /dev/null +++ b/security/v1/0000_03_security-openshift_01_scc.crd.yaml @@ -0,0 +1,315 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: securitycontextconstraints.security.openshift.io +spec: + group: security.openshift.io + names: + kind: SecurityContextConstraints + listKind: SecurityContextConstraintsList + plural: securitycontextconstraints + singular: securitycontextconstraints + scope: Cluster + versions: + - name: v1 + served: true + storage: true + "validation": + "openAPIV3Schema": + description: SecurityContextConstraints governs the ability to make requests + that affect the SecurityContext that will be applied to a container. For historical + reasons SCC was exposed under the core Kubernetes API group. That exposure + is deprecated and will be removed in a future release - users should instead + use the security.openshift.io group to manage SecurityContextConstraints. + type: object + required: + - allowHostDirVolumePlugin + - allowHostIPC + - allowHostNetwork + - allowHostPID + - allowHostPorts + - allowPrivilegedContainer + - allowedCapabilities + - defaultAddCapabilities + - priority + - readOnlyRootFilesystem + - requiredDropCapabilities + - volumes + properties: + allowHostDirVolumePlugin: + description: AllowHostDirVolumePlugin determines if the policy allow containers + to use the HostDir volume plugin + type: boolean + allowHostIPC: + description: AllowHostIPC determines if the policy allows host ipc in the + containers. + type: boolean + allowHostNetwork: + description: AllowHostNetwork determines if the policy allows the use of + HostNetwork in the pod spec. + type: boolean + allowHostPID: + description: AllowHostPID determines if the policy allows host pid in the + containers. + type: boolean + allowHostPorts: + description: AllowHostPorts determines if the policy allows host ports in + the containers. + type: boolean + allowPrivilegeEscalation: + description: AllowPrivilegeEscalation determines if a pod can request to + allow privilege escalation. If unspecified, defaults to true. + type: boolean + nullable: true + allowPrivilegedContainer: + description: AllowPrivilegedContainer determines if a container can request + to be run as privileged. + type: boolean + allowedCapabilities: + description: AllowedCapabilities is a list of capabilities that can be requested + to add to the container. Capabilities in this field maybe added at the + pod author's discretion. You must not list a capability in both AllowedCapabilities + and RequiredDropCapabilities. To allow all capabilities you may use '*'. + type: array + items: + description: Capability represent POSIX capabilities type + type: string + nullable: true + allowedFlexVolumes: + description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty + or nil indicates that all Flexvolumes may be used. This parameter is + effective only when the usage of the Flexvolumes is allowed in the "Volumes" + field. + type: array + items: + description: AllowedFlexVolume represents a single Flexvolume that is + allowed to be used. + type: object + required: + - driver + properties: + driver: + description: Driver is the name of the Flexvolume driver. + type: string + nullable: true + allowedUnsafeSysctls: + description: "AllowedUnsafeSysctls is a list of explicitly allowed unsafe + sysctls, defaults to none. Each entry is either a plain sysctl name or + ends in \"*\" in which case it is considered as a prefix of allowed sysctls. + Single * means all unsafe sysctls are allowed. Kubelet has to whitelist + all allowed unsafe sysctls explicitly to avoid rejection. \n Examples: + e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows + \"foo.bar\", \"foo.baz\", etc." + type: array + items: + type: string + nullable: true + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + defaultAddCapabilities: + description: DefaultAddCapabilities is the default set of capabilities that + will be added to the container unless the pod spec specifically drops + the capability. You may not list a capabiility in both DefaultAddCapabilities + and RequiredDropCapabilities. + type: array + items: + description: Capability represent POSIX capabilities type + type: string + nullable: true + defaultAllowPrivilegeEscalation: + description: DefaultAllowPrivilegeEscalation controls the default setting + for whether a process can gain more privileges than its parent process. + type: boolean + nullable: true + forbiddenSysctls: + description: "ForbiddenSysctls is a list of explicitly forbidden sysctls, + defaults to none. Each entry is either a plain sysctl name or ends in + \"*\" in which case it is considered as a prefix of forbidden sysctls. + Single * means all sysctls are forbidden. \n Examples: e.g. \"foo/*\" + forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", + \"foo.baz\", etc." + type: array + items: + type: string + nullable: true + fsGroup: + description: FSGroup is the strategy that will dictate what fs group is + used by the SecurityContext. + type: object + properties: + ranges: + description: Ranges are the allowed ranges of fs groups. If you would + like to force a single fs group then supply a single range with the + same start and end. + type: array + items: + description: 'IDRange provides a min/max of an allowed range of IDs. + TODO: this could be reused for UIDs.' + type: object + properties: + max: + description: Max is the end of the range, inclusive. + type: integer + format: int64 + min: + description: Min is the start of the range, inclusive. + type: integer + format: int64 + type: + description: Type is the strategy that will dictate what FSGroup is + used in the SecurityContext. + type: string + nullable: true + groups: + description: The groups that have permission to use this security context + constraints + type: array + items: + type: string + nullable: true + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: 'Standard object''s metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata' + type: object + priority: + description: Priority influences the sort order of SCCs when evaluating + which SCCs to try first for a given pod request based on access in the + Users and Groups fields. The higher the int, the higher priority. An + unset value is considered a 0 priority. If scores for multiple SCCs are + equal they will be sorted from most restrictive to least restrictive. + If both priorities and restrictions are equal the SCCs will be sorted + by name. + type: integer + format: int32 + nullable: true + readOnlyRootFilesystem: + description: ReadOnlyRootFilesystem when set to true will force containers + to run with a read only root file system. If the container specifically + requests to run with a non-read only root file system the SCC should deny + the pod. If set to false the container may run with a read only root file + system if it wishes but it will not be forced to. + type: boolean + requiredDropCapabilities: + description: RequiredDropCapabilities are the capabilities that will be + dropped from the container. These are required to be dropped and cannot + be added. + type: array + items: + description: Capability represent POSIX capabilities type + type: string + nullable: true + runAsUser: + description: RunAsUser is the strategy that will dictate what RunAsUser + is used in the SecurityContext. + type: object + properties: + type: + description: Type is the strategy that will dictate what RunAsUser is + used in the SecurityContext. + type: string + uid: + description: UID is the user id that containers must run as. Required + for the MustRunAs strategy if not using namespace/service account + allocated uids. + type: integer + format: int64 + uidRangeMax: + description: UIDRangeMax defines the max value for a strategy that allocates + by range. + type: integer + format: int64 + uidRangeMin: + description: UIDRangeMin defines the min value for a strategy that allocates + by range. + type: integer + format: int64 + nullable: true + seLinuxContext: + description: SELinuxContext is the strategy that will dictate what labels + will be set in the SecurityContext. + type: object + properties: + seLinuxOptions: + description: seLinuxOptions required to run as; required for MustRunAs + type: object + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: + description: Type is the strategy that will dictate what SELinux context + is used in the SecurityContext. + type: string + nullable: true + seccompProfiles: + description: "SeccompProfiles lists the allowed profiles that may be set + for the pod or container's seccomp annotations. An unset (nil) or empty + value means that no profiles may be specifid by the pod or container.\tThe + wildcard '*' may be used to allow all profiles. When used to generate + a value for a pod the first non-wildcard profile will be used as the default." + type: array + items: + type: string + nullable: true + supplementalGroups: + description: SupplementalGroups is the strategy that will dictate what supplemental + groups are used by the SecurityContext. + type: object + properties: + ranges: + description: Ranges are the allowed ranges of supplemental groups. If + you would like to force a single supplemental group then supply a + single range with the same start and end. + type: array + items: + description: 'IDRange provides a min/max of an allowed range of IDs. + TODO: this could be reused for UIDs.' + type: object + properties: + max: + description: Max is the end of the range, inclusive. + type: integer + format: int64 + min: + description: Min is the start of the range, inclusive. + type: integer + format: int64 + type: + description: Type is the strategy that will dictate what supplemental + groups is used in the SecurityContext. + type: string + nullable: true + users: + description: The users who have permissions to use this security context + constraints + type: array + items: + type: string + nullable: true + volumes: + description: Volumes is a white list of allowed volume plugins. FSType + corresponds directly with the field names of a VolumeSource (azureFile, + configMap, emptyDir). To allow all volumes you may use "*". To allow + no volumes, set to ["none"]. + type: array + items: + description: FS Type gives strong typing to different file systems that + are used by volumes. + type: string + nullable: true