diff --git a/Gopkg.lock b/Gopkg.lock
index 9c7b94e4db..6ccada9bd4 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -367,7 +367,7 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:2018ec46c98c3f117c14875c08ab28c6da12006b542af2a474deb8b40f37e4a0"
+  digest = "1:fdde039e2eaa7155792a4eaffebdaebc1756dbf0f533550a0ed1b82140410d6d"
   name = "github.com/openshift/api"
   packages = [
     "config/v1",
@@ -375,7 +375,7 @@
     "operator/v1",
   ]
   pruneopts = "NT"
-  revision = "3fb334864749eacd019c24e50e9a0628b628cfbe"
+  revision = "d75a161a0f4ded1815ec24321fc1f8609c255cdb"
 
 [[projects]]
   branch = "master"
diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
index fc430d69f5..ea76aec02c 100644
--- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go
+++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
@@ -8,7 +8,9 @@ import (
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// APIServer holds cluster-wide information about api-servers.  The canonical name is `cluster`
+// APIServer holds configuration (like serving certificates, client CA and CORS domains)
+// shared by all API servers in the system, among them especially kube-apiserver
+// and openshift-apiserver. The canonical name of an instance is 'cluster'.
 type APIServer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
index 508469d0ff..6d32b9d827 100644
--- a/vendor/github.com/openshift/api/config/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -6,7 +6,8 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// Authentication holds cluster-wide information about Authentication.  The canonical name is `cluster`
+// Authentication specifies cluster-wide settings for authentication (like OAuth and
+// webhook token authenticators). The canonical name of an instance is `cluster`.
 type Authentication struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object's metadata.
diff --git a/vendor/github.com/openshift/api/config/v1/types_console.go b/vendor/github.com/openshift/api/config/v1/types_console.go
index b137c26e08..9cda3f83b6 100644
--- a/vendor/github.com/openshift/api/config/v1/types_console.go
+++ b/vendor/github.com/openshift/api/config/v1/types_console.go
@@ -6,7 +6,9 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// Console holds cluster-wide information about Console.  The canonical name is `cluster`.
+// Console holds cluster-wide configuration for the web console, including the
+// logout URL, and reports the public URL of the console. The canonical name is
+// `cluster`.
 type Console struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object's metadata.
diff --git a/vendor/github.com/openshift/api/config/v1/types_proxy.go b/vendor/github.com/openshift/api/config/v1/types_proxy.go
index 1f01f961d8..821ae89750 100644
--- a/vendor/github.com/openshift/api/config/v1/types_proxy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_proxy.go
@@ -39,6 +39,29 @@ type ProxySpec struct {
 	// readinessEndpoints is a list of endpoints used to verify readiness of the proxy.
 	// +optional
 	ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"`
+
+	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle used
+	// for client egress HTTPS connections. The certificate bundle must be from the CA
+	// that signed the proxy's certificate and be signed for everything. trustedCA should
+	// only be consumed by a proxy validator. The validator is responsible for reading
+	// ConfigMapNameReference, validating the certificate and copying "ca-bundle.crt"
+	// from data to a ConfigMap in the namespace of an operator configured for proxy.
+	// The namespace for this ConfigMap is "openshift-config-managed". Here is an example
+	// ConfigMap (in yaml):
+	//
+	// apiVersion: v1
+	// kind: ConfigMap
+	// metadata:
+	//  name: proxy-ca
+	//  namespace: openshift-config-managed
+	//  data:
+	//    ca-bundle.crt: |
+	//      -----BEGIN CERTIFICATE-----
+	//      Custom CA certificate bundle.
+	//      -----END CERTIFICATE-----
+	//
+	// +optional
+	TrustedCA ConfigMapNameReference `json:"trustedCA,omitempty"`
 }
 
 // ProxyStatus shows current known state of the cluster proxy.
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
index 37fdaf9f9c..4fa507b16a 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -2669,6 +2669,7 @@ func (in *ProxySpec) DeepCopyInto(out *ProxySpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	out.TrustedCA = in.TrustedCA
 	return
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
index 3b33820d31..7d48f6bd89 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -244,7 +244,7 @@ func (StringSourceSpec) SwaggerDoc() map[string]string {
 }
 
 var map_APIServer = map[string]string{
-	"": "APIServer holds cluster-wide information about api-servers.  The canonical name is `cluster`",
+	"": "APIServer holds configuration (like serving certificates, client CA and CORS domains) shared by all API servers in the system, among them especially kube-apiserver and openshift-apiserver. The canonical name of an instance is 'cluster'.",
 }
 
 func (APIServer) SwaggerDoc() map[string]string {
@@ -280,7 +280,7 @@ func (APIServerSpec) SwaggerDoc() map[string]string {
 }
 
 var map_Authentication = map[string]string{
-	"":         "Authentication holds cluster-wide information about Authentication.  The canonical name is `cluster`",
+	"":         "Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`.",
 	"metadata": "Standard object's metadata.",
 	"spec":     "spec holds user settable values for configuration",
 	"status":   "status holds observed values from the cluster. They may not be overridden.",
@@ -539,7 +539,7 @@ func (UpdateHistory) SwaggerDoc() map[string]string {
 }
 
 var map_Console = map[string]string{
-	"":         "Console holds cluster-wide information about Console.  The canonical name is `cluster`.",
+	"":         "Console holds cluster-wide configuration for the web console, including the logout URL, and reports the public URL of the console. The canonical name is `cluster`.",
 	"metadata": "Standard object's metadata.",
 	"spec":     "spec holds user settable values for configuration",
 	"status":   "status holds observed values from the cluster. They may not be overridden.",
@@ -1208,6 +1208,7 @@ var map_ProxySpec = map[string]string{
 	"httpsProxy":         "httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.",
 	"noProxy":            "noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. Empty means unset and will not result in an env var.",
 	"readinessEndpoints": "readinessEndpoints is a list of endpoints used to verify readiness of the proxy.",
+	"trustedCA":          "trustedCA is a reference to a ConfigMap containing a CA certificate bundle used for client egress HTTPS connections. The certificate bundle must be from the CA that signed the proxy's certificate and be signed for everything. trustedCA should only be consumed by a proxy validator. The validator is responsible for reading ConfigMapNameReference, validating the certificate and copying \"ca-bundle.crt\" from data to a ConfigMap in the namespace of an operator configured for proxy. The namespace for this ConfigMap is \"openshift-config-managed\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: proxy-ca\n namespace: openshift-config-managed\n data:\n   ca-bundle.crt: |",
 }
 
 func (ProxySpec) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/console/v1/types_console_external_log_links.go b/vendor/github.com/openshift/api/console/v1/types_console_external_log_links.go
index db9f8a6591..b6a1033d26 100644
--- a/vendor/github.com/openshift/api/console/v1/types_console_external_log_links.go
+++ b/vendor/github.com/openshift/api/console/v1/types_console_external_log_links.go
@@ -35,8 +35,9 @@ type ConsoleExternalLogLinkSpec struct {
 	// e.g., https://example.com/logs?resourceName=${resourceName}&containerName=${containerName}&resourceNamespace=${resourceNamespace}&podLabels=${podLabels}
 	HrefTemplate string `json:"hrefTemplate"`
 	// namespaceFilter is a regular expression used to restrict a log link to a
-	// matching set of namespaces (e.g., `/^openshift-/g`). If not specified, links will
-	// be displayed for all the namespaces.
+	// matching set of namespaces (e.g., `^openshift-`). The string is converted
+	// into a regular expression using the JavaScript RegExp constructor.
+	// If not specified, links will be displayed for all the namespaces.
 	// + optional
 	NamespaceFilter string `json:"namespaceFilter,omitempty"`
 }
diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go
index c6585f4ee4..3e65772c7c 100644
--- a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go
@@ -62,7 +62,7 @@ var map_ConsoleExternalLogLinkSpec = map[string]string{
 	"":                "ConsoleExternalLogLinkSpec is the desired log link configuration. The log link will appear on the logs tab of the pod details page.",
 	"text":            "text is the display text for the link",
 	"hrefTemplate":    "hrefTemplate is an absolute secure URL (must use https) for the log link including variables to be replaced. Variables are specified in the URL with the format ${variableName}, for instance, ${containerName} and will be replaced with the corresponding values from the resource. Resource is a pod. Supported variables are: - ${resourceName} - name of the resource which containes the logs - ${resourceUID} - UID of the resource which contains the logs\n              - e.g. `11111111-2222-3333-4444-555555555555`\n- ${containerName} - name of the resource's container that contains the logs - ${resourceNamespace} - namespace of the resource that contains the logs - ${podLabels} - JSON representation of labels matching the pod with the logs\n            - e.g. `{\"key1\":\"value1\",\"key2\":\"value2\"}`\n\ne.g., https://example.com/logs?resourceName=${resourceName}&containerName=${containerName}&resourceNamespace=${resourceNamespace}&podLabels=${podLabels}",
-	"namespaceFilter": "namespaceFilter is a regular expression used to restrict a log link to a matching set of namespaces (e.g., `/^openshift-/g`). If not specified, links will be displayed for all the namespaces.",
+	"namespaceFilter": "namespaceFilter is a regular expression used to restrict a log link to a matching set of namespaces (e.g., `^openshift-`). The string is converted into a regular expression using the JavaScript RegExp constructor. If not specified, links will be displayed for all the namespaces.",
 }
 
 func (ConsoleExternalLogLinkSpec) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/types_image_content_source_policy.go b/vendor/github.com/openshift/api/operator/v1alpha1/types_image_content_source_policy.go
index 26eeef841a..db5ec6ab15 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/types_image_content_source_policy.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/types_image_content_source_policy.go
@@ -7,7 +7,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ImageContentSourcePolicy holds cluster-wide information about how to handle registry mirror rules.
-// When multple policies are defined, the outcome of the behavior is defined on each field.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
 type ImageContentSourcePolicy struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object's metadata.
@@ -24,14 +24,19 @@ type ImageContentSourcePolicySpec struct {
 	// repositoryDigestMirrors allows images referenced by image digests in pods to be
 	// pulled from alternative mirrored repository locations. The image pull specification
 	// provided to the pod will be compared to the source locations described in RepositoryDigestMirrors
-	// and the image may be pulled down from any of the repositories in the list instead of the
+	// and the image may be pulled down from any of the mirrors in the list instead of the
 	// specified repository allowing administrators to choose a potentially faster mirror.
 	// Only image pull specifications that have an image disgest will have this behavior applied
 	// to them - tags will continue to be pulled from the specified repository in the pull spec.
-	// When multiple policies are defined, any overlaps found will be merged together when the mirror
-	// rules are written to `/etc/containers/registries.conf`. For example, if policy A has sources `a, b, c`
-	// and policy B has sources `c, d, e`. Then the mirror rule written to `registries.conf` will be `a, b, c, d, e`
-	// where the duplicate `c` is removed.
+	//
+	// Each “source” repository is treated independently; configurations for different “source”
+	// repositories don’t interact.
+	//
+	// When multiple policies are defined for the same “source” repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
 	// +optional
 	RepositoryDigestMirrors []RepositoryDigestMirrors `json:"repositoryDigestMirrors"`
 }
@@ -47,9 +52,17 @@ type ImageContentSourcePolicyList struct {
 }
 
 // RepositoryDigestMirrors holds cluster-wide information about how to handle mirros in the registries config.
-// Note: the mirrors only work when pulling the images that are reference by their digests.
+// Note: the mirrors only work when pulling the images that are referenced by their digests.
 type RepositoryDigestMirrors struct {
-	// sources are repositories that are mirrors of each other.
+	// source is the repository that users refer to, e.g. in image pull specifications.
+	// +required
+	Source string `json:"source"`
+	// mirrors is one or more repositories that may also contain the same images.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors. Other cluster configuration,
+	// including (but not limited to) other repositoryDigestMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
 	// +optional
-	Sources []string `json:"sources,omitempty"`
+	Mirrors []string `json:"mirrors"`
 }
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
index 36a17cff8b..8a1bc1d2f8 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
@@ -275,8 +275,8 @@ func (in *OperatorStatus) DeepCopy() *OperatorStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RepositoryDigestMirrors) DeepCopyInto(out *RepositoryDigestMirrors) {
 	*out = *in
-	if in.Sources != nil {
-		in, out := &in.Sources, &out.Sources
+	if in.Mirrors != nil {
+		in, out := &in.Mirrors, &out.Mirrors
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
index fc80a126b8..84d04215c7 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -136,7 +136,7 @@ func (VersionAvailability) SwaggerDoc() map[string]string {
 }
 
 var map_ImageContentSourcePolicy = map[string]string{
-	"":         "ImageContentSourcePolicy holds cluster-wide information about how to handle registry mirror rules. When multple policies are defined, the outcome of the behavior is defined on each field.",
+	"":         "ImageContentSourcePolicy holds cluster-wide information about how to handle registry mirror rules. When multiple policies are defined, the outcome of the behavior is defined on each field.",
 	"metadata": "Standard object's metadata.",
 	"spec":     "spec holds user settable values for configuration",
 }
@@ -156,7 +156,7 @@ func (ImageContentSourcePolicyList) SwaggerDoc() map[string]string {
 
 var map_ImageContentSourcePolicySpec = map[string]string{
 	"":                        "ImageContentSourcePolicySpec is the specification of the ImageContentSourcePolicy CRD.",
-	"repositoryDigestMirrors": "repositoryDigestMirrors allows images referenced by image digests in pods to be pulled from alternative mirrored repository locations. The image pull specification provided to the pod will be compared to the source locations described in RepositoryDigestMirrors and the image may be pulled down from any of the repositories in the list instead of the specified repository allowing administrators to choose a potentially faster mirror. Only image pull specifications that have an image disgest will have this behavior applied to them - tags will continue to be pulled from the specified repository in the pull spec. When multiple policies are defined, any overlaps found will be merged together when the mirror rules are written to `/etc/containers/registries.conf`. For example, if policy A has sources `a, b, c` and policy B has sources `c, d, e`. Then the mirror rule written to `registries.conf` will be `a, b, c, d, e` where the duplicate `c` is removed.",
+	"repositoryDigestMirrors": "repositoryDigestMirrors allows images referenced by image digests in pods to be pulled from alternative mirrored repository locations. The image pull specification provided to the pod will be compared to the source locations described in RepositoryDigestMirrors and the image may be pulled down from any of the mirrors in the list instead of the specified repository allowing administrators to choose a potentially faster mirror. Only image pull specifications that have an image disgest will have this behavior applied to them - tags will continue to be pulled from the specified repository in the pull spec.\n\nEach “source” repository is treated independently; configurations for different “source” repositories don’t interact.\n\nWhen multiple policies are defined for the same “source” repository, the sets of defined mirrors will be merged together, preserving the relative order of the mirrors, if possible. For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.",
 }
 
 func (ImageContentSourcePolicySpec) SwaggerDoc() map[string]string {
@@ -164,8 +164,9 @@ func (ImageContentSourcePolicySpec) SwaggerDoc() map[string]string {
 }
 
 var map_RepositoryDigestMirrors = map[string]string{
-	"":        "RepositoryDigestMirrors holds cluster-wide information about how to handle mirros in the registries config. Note: the mirrors only work when pulling the images that are reference by their digests.",
-	"sources": "sources are repositories that are mirrors of each other.",
+	"":        "RepositoryDigestMirrors holds cluster-wide information about how to handle mirros in the registries config. Note: the mirrors only work when pulling the images that are referenced by their digests.",
+	"source":  "source is the repository that users refer to, e.g. in image pull specifications.",
+	"mirrors": "mirrors is one or more repositories that may also contain the same images. The order of mirrors in this list is treated as the user's desired priority, while source is by default considered lower priority than all mirrors. Other cluster configuration, including (but not limited to) other repositoryDigestMirrors objects, may impact the exact order mirrors are contacted in, or some mirrors may be contacted in parallel, so this should be considered a preference rather than a guarantee of ordering.",
 }
 
 func (RepositoryDigestMirrors) SwaggerDoc() map[string]string {