diff --git a/go.mod b/go.mod index 4aec7afd..fcbf5abd 100644 --- a/go.mod +++ b/go.mod @@ -13,14 +13,14 @@ require ( github.com/golang/mock v1.6.0 github.com/onsi/ginkgo/v2 v2.22.2 github.com/onsi/gomega v1.36.2 - github.com/openshift/api v0.0.0-20250130171037-7bb8a0201a56 + github.com/openshift/api v0.0.0-20250528100135-a463917701ab github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 - github.com/openshift/machine-api-operator v0.2.1-0.20250203164435-b657d8bf9389 - k8s.io/api v0.32.1 - k8s.io/apimachinery v0.32.1 - k8s.io/apiserver v0.32.1 - k8s.io/client-go v0.32.1 - k8s.io/component-base v0.32.1 + github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 + k8s.io/api v0.32.2 + k8s.io/apimachinery v0.32.2 + k8s.io/apiserver v0.32.2 + k8s.io/client-go v0.32.2 + k8s.io/component-base v0.32.2 k8s.io/klog/v2 v2.130.1 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 sigs.k8s.io/controller-runtime v0.20.1 @@ -90,7 +90,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/oklog/ulid v1.3.1 // indirect - github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 // indirect + github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.20.5 // indirect @@ -104,8 +104,8 @@ require ( github.com/x448/float16 v0.8.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect golang.org/x/crypto v0.32.0 // indirect golang.org/x/mod v0.22.0 // indirect golang.org/x/net v0.34.0 // indirect @@ -122,10 +122,10 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.32.1 // indirect - k8s.io/cli-runtime v0.32.1 // indirect + k8s.io/apiextensions-apiserver v0.32.2 // indirect + k8s.io/cli-runtime v0.32.2 // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect - k8s.io/kubectl v0.32.1 // indirect + k8s.io/kubectl v0.32.2 // indirect sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect sigs.k8s.io/kustomize/api v0.18.0 // indirect sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect diff --git a/go.sum b/go.sum index 9fcbf1f8..57b46850 100644 --- a/go.sum +++ b/go.sum @@ -111,8 +111,8 @@ github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtz github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q= github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A= -github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= -github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= @@ -377,18 +377,18 @@ github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/openshift/api v0.0.0-20250130171037-7bb8a0201a56 h1:fWNA66LNXugnaxTaRVHZLdW+vbwyk5vwTT9/x2YYiG8= -github.com/openshift/api v0.0.0-20250130171037-7bb8a0201a56/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= -github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 h1:4iliLcvr1P9EUMZgIaSNEKNQQzBn+L6PSequlFOuB6Q= -github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7/go.mod h1:2tcufBE4Cu6RNgDCxcUJepa530kGo5GFVfR9BSnndhI= +github.com/openshift/api v0.0.0-20250528100135-a463917701ab h1:99AhxDrrz2M4llF0eYOCv7NMowALSzp97UN3I5MKGlo= +github.com/openshift/api v0.0.0-20250528100135-a463917701ab/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a h1:duO3JMrUOqVx50QhzxvDeOYIwTNOB8/EEuRLPyvAMBg= +github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a/go.mod h1:Qw3ThpzVZ0bfTILpBNYg4LGyjtNxfyCiGh/uDLOOTP8= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264 h1:KoJiId8Ynajf/ZFodvmayFkDODIL7Vow3LmgR5+oVRg= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264/go.mod h1:d6xqfLy/cKEGUKfounNsWdAhWAcUYfZyuDgHBCQyfeM= github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20250128131205-c7b3d7b57a8e h1:fr2ilTXem4bUGpkGpICyabti3eHr9jfgCphG7meaiJw= github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20250128131205-c7b3d7b57a8e/go.mod h1:ae3TvkWGFUuKQAnypbtiVMXxBlRfJGbf37z5zVh98uA= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 h1:VLj8CU9q009xlMuR4wNcqDX4lVa2Ji3u/iYnBLHtQUc= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70/go.mod h1:TQx0VEhZ/92qRXIMDu2Wg4bUPmw5HRNE6wpSZ+IsP0Y= -github.com/openshift/machine-api-operator v0.2.1-0.20250203164435-b657d8bf9389 h1:yqbt3ldCblCq8lsLvqdOziJ90CgQ88ql1H7pJS0PWl8= -github.com/openshift/machine-api-operator v0.2.1-0.20250203164435-b657d8bf9389/go.mod h1:6aii+Rx4RSqCBxdrcwjEye5e6jsbI8PUBRMFzhfoDUU= +github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 h1:qE46shcZY9nOnah14lQOPWduvWYrXIVpCnDoH4IMt0o= +github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5/go.mod h1:1fnQ4CMfwvkLTRafNW3aSC/9w73vbYW6h4ogM0sALgw= github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -535,10 +535,10 @@ go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY= go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -629,26 +629,26 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I= honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs= -k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= -k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= -k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw= -k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto= -k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs= -k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= -k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak= -k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw= -k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM= -k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY= -k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU= -k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg= -k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk= -k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w= +k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw= +k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y= +k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4= +k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA= +k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= +k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw= +k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM= +k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks= +k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8= +k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA= +k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94= +k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU= +k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= -k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8= -k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ= +k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us= +k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU= diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 75b647f7..38322b95 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -51,6 +51,7 @@ type APIServerSpec struct { // server from JavaScript applications. // The values are regular expressions that correspond to the Golang regular expression language. // +optional + // +listType=atomic AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"` // encryption allows the configuration of encryption of resources at the datastore layer. // +optional @@ -153,6 +154,7 @@ type APIServerServingCerts struct { // If no named certificates are provided, or no named certificates match the server name as understood by a client, // the defaultServingCertificate will be used. // +optional + // +listType=atomic NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` } @@ -162,6 +164,7 @@ type APIServerNamedServingCert struct { // serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. // +optional + // +listType=atomic Names []string `json:"names,omitempty"` // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. // The secret must exist in the openshift-config namespace and contain the following required fields: @@ -170,6 +173,9 @@ type APIServerNamedServingCert struct { ServingCertificate SecretNameReference `json:"servingCertificate"` } +// APIServerEncryption is used to encrypt sensitive resources on the cluster. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. // When this field is unset (i.e. when it is set to the empty string), identity is implied. @@ -188,9 +194,23 @@ type APIServerEncryption struct { // +unionDiscriminator // +optional Type EncryptionType `json:"type,omitempty"` + + // kms defines the configuration for the external KMS instance that manages the encryption keys, + // when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + // externally configured KMS instance. + // + // The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + // managing the lifecyle of the encryption keys outside of the control plane. + // This allows integration with an external provider to manage the data encryption keys securely. + // + // +openshift:enable:FeatureGate=KMSEncryptionProvider + // +unionMember + // +optional + KMS *KMSConfig `json:"kms,omitempty"` } -// +kubebuilder:validation:Enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( @@ -205,6 +225,11 @@ const ( // aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key // is used to perform encryption at the datastore layer. EncryptionTypeAESGCM EncryptionType = "aesgcm" + + // kms refers to a type of encryption where the encryption keys are managed + // outside the control plane in a Key Management Service instance, + // encryption is still performed at the datastore layer. + EncryptionTypeKMS EncryptionType = "KMS" ) type APIServerStatus struct { diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 65dffddb..02c586b3 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -90,6 +90,7 @@ type AuthenticationSpec struct { // +listMapKey=name // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -117,6 +118,7 @@ type AuthenticationStatus struct { // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCClients []OIDCClientStatus `json:"oidcClients"` } @@ -135,7 +137,7 @@ type AuthenticationList struct { } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";None;IntegratedOAuth -// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="";None;IntegratedOAuth;OIDC +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,enum="";None;IntegratedOAuth;OIDC type AuthenticationType string const ( @@ -193,32 +195,50 @@ const ( ) type OIDCProvider struct { - // name of the OIDC provider + // name is a required field that configures the unique human-readable identifier + // associated with the identity provider. + // It is used to distinguish between multiple identity providers + // and has no impact on token validation or authentication mechanics. + // + // name must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` - // issuer describes atributes of the OIDC token issuer + + // issuer is a required field that configures how the platform interacts + // with the identity provider and how tokens issued from the identity provider + // are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients contains configuration for the platform's clients that - // need to request tokens from the issuer + // oidcClients is an optional field that configures how on-cluster, + // platform clients should request tokens from the identity provider. + // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map // +listMapKey=componentNamespace // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 + // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings describes rules on how to transform information from an - // ID token into a cluster identity + // claimMappings is an optional field that configures the rules to be used by + // the Kubernetes API server for translating claims in a JWT token, issued + // by the identity provider, to a cluster identity. + // + // +optional ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules are rules that are applied to validate token claims to authenticate users. + // claimValidationRules is an optional field that configures the rules to + // be used by the Kubernetes API server for validating the claims in a JWT + // token issued by the identity provider. + // + // Validation rules are joined via an AND operation. // // +listType=atomic + // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` } @@ -226,17 +246,22 @@ type OIDCProvider struct { type TokenAudience string type TokenIssuer struct { - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that configures the URL used to issue tokens + // by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled + // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required URL string `json:"issuerURL"` - // audiences is an array of audiences that the token was issued for. - // Valid tokens must include at least one of these values in their - // "aud" claim. - // Must be set to exactly one value. + // audiences is a required field that configures the acceptable audiences + // the JWT token, issued by the identity provider, must be issued to. + // At least one of the entries must match the 'aud' claim in the JWT token. + // + // audiences must contain at least one entry and must not exceed ten entries. // // +listType=set // +kubebuilder:validation:MinItems=1 @@ -244,93 +269,293 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // CertificateAuthority is a reference to a config map in the - // configuration namespace. The .data of the configMap must contain - // the "ca-bundle.crt" key. - // If unset, system trust is used instead. + // issuerCertificateAuthority is an optional field that configures the + // certificate authority, used by the Kubernetes API server, to validate + // the connection to the identity provider when fetching discovery information. + // + // When not specified, the system trust is used. + // + // When specified, it must reference a ConfigMap in the openshift-config + // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + // key in the data field of the ConfigMap. + // + // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` } type TokenClaimMappings struct { - // username is a name of the claim that should be used to construct - // usernames for the cluster identity. + // username is an optional field that configures how the username of a cluster identity + // should be constructed from the claims in a JWT token issued by the identity provider. // - // Default value: "sub" + // +optional Username UsernameClaimMapping `json:"username,omitempty"` - // groups is a name of the claim that should be used to construct - // groups for the cluster identity. - // The referenced claim must use array of strings values. + // groups is an optional field that configures how the groups of a cluster identity + // should be constructed from the claims in a JWT token issued + // by the identity provider. + // When referencing a claim, if the claim is present in the JWT + // token, its value must be a list of groups separated by a comma (','). + // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + // + // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` + + // uid is an optional field for configuring the claim mapping + // used to construct the uid for the cluster identity. + // + // When using uid.claim to specify the claim it must be a single string value. + // When using uid.expression the expression must result in a single string value. + // + // When omitted, this means the user has no opinion and the platform + // is left to choose a default, which is subject to change over time. + // The current default is to use the 'sub' claim. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` + + // extra is an optional field for configuring the mappings + // used to construct the extra attribute for the cluster identity. + // When omitted, no extra attributes will be present on the cluster identity. + // key values for extra mappings must be unique. + // A maximum of 64 extra attribute mappings may be provided. + // + // +optional + // +kubebuilder:validation:MaxItems=64 + // +listType=map + // +listMapKey=key + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + Extra []ExtraMapping `json:"extra,omitempty"` } +// TokenClaimMapping allows specifying a JWT token +// claim to be used when mapping claims from an +// authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a JWT token claim to be used in the mapping + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. // // +required Claim string `json:"claim"` } +// TokenClaimOrExpressionMapping allows specifying either a JWT +// token claim or CEL expression to be used when mapping claims +// from an authentication token to cluster identities. +// +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" +type TokenClaimOrExpressionMapping struct { + // claim is an optional field for specifying the + // JWT token claim that is used in the mapping. + // The value of this claim will be assigned to + // the field in which this mapping is associated. + // + // Precisely one of claim or expression must be set. + // claim must not be specified when expression is set. + // When specified, claim must be at least 1 character in length + // and must not exceed 256 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:MinLength=1 + Claim string `json:"claim,omitempty"` + + // expression is an optional field for specifying a + // CEL expression that produces a string value from + // JWT token claims. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // Precisely one of claim or expression must be set. + // expression must not be specified when claim is set. + // When specified, expression must be at least 1 character in length + // and must not exceed 4096 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=4096 + // +kubebuilder:validation:MinLength=1 + Expression string `json:"expression,omitempty"` +} + +// ExtraMapping allows specifying a key and CEL expression +// to evaluate the keys' value. It is used to create additional +// mappings and attributes added to a cluster identity from +// a provided authentication token. +type ExtraMapping struct { + // key is a required field that specifies the string + // to use as the extra attribute key. + // + // key must be a domain-prefix path (e.g 'example.org/foo'). + // key must not exceed 510 characters in length. + // key must contain the '/' character, separating the domain and path characters. + // key must not be empty. + // + // The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + // It must not exceed 253 characters in length. + // It must start and end with an alphanumeric character. + // It must only contain lower case alphanumeric characters and '-' or '.'. + // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + // + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // It must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=510 + // +kubebuilder:validation:XValidation:rule="self.contains('/')",message="key must contain the '/' character" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].size() <= 253",message="the domain of the key must not exceed 253 characters in length" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'kubernetes.io'",message="the domain 'kubernetes.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.kubernetes.io')",message="the subdomains '*.kubernetes.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'k8s.io'",message="the domain 'k8s.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.k8s.io')",message="the subdomains '*.k8s.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'openshift.io'",message="the domain 'openshift.io' is reserved for OpenShift use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.openshift.io')",message="the subdomains '*.openshift.io' are reserved for OpenShift use" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].matches('[A-Za-z0-9/\\\\-._~%!$&\\'()*+;=:]+')",message="the path of the key must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, apostrophe, '-', '.', '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=', and ':'" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" + Key string `json:"key"` + + // valueExpression is a required field to specify the CEL expression to extract + // the extra attribute value from a JWT token's claims. + // valueExpression must produce a string or string array value. + // "", [], and null are treated as the extra mapping not being present. + // Empty string values within an array are filtered out. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // valueExpression must not exceed 4096 characters in length. + // valueExpression must not be empty. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + ValueExpression string `json:"valueExpression"` +} + +// OIDCClientConfig configures how platform clients +// interact with identity providers as an authentication +// method type OIDCClientConfig struct { - // componentName is the name of the component that is supposed to consume this - // client configuration + // componentName is a required field that specifies the name of the platform + // component being configured to use the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that is supposed to consume this - // client configuration + // componentNamespace is a required field that specifies the namespace in which the + // platform component being configured to use the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that configures the client identifier, from + // the identity provider, that the platform component uses for authentication + // requests made to the identity provider. + // The identity provider must accept this identifier for platform components + // to be able to use the identity provider as an authentication mode. + // + // clientID must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required ClientID string `json:"clientID"` - // clientSecret refers to a secret in the `openshift-config` namespace that - // contains the client secret in the `clientSecret` key of the `.data` field + // clientSecret is an optional field that configures the client secret used + // by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests + // to the identity provider. + // + // When specified, clientSecret references a Secret in the 'openshift-config' + // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + // The client secret will be used when making authentication requests to the identity provider. + // + // Public clients do not require a client secret but private + // clients do require a client secret to work with the identity provider. + // + // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional set of scopes to request tokens with. + // extraScopes is an optional field that configures the extra scopes that should + // be requested by the platform component when making authentication requests to the + // identity provider. + // This is useful if you have configured claim mappings that requires specific + // scopes to be requested beyond the standard OIDC scopes. + // + // When omitted, no additional scopes are requested. // // +listType=set + // +optional ExtraScopes []string `json:"extraScopes"` } +// OIDCClientStatus represents the current state +// of platform components and how they interact with +// the configured identity providers. type OIDCClientStatus struct { - // componentName is the name of the component that will consume a client configuration. + // componentName is a required field that specifies the name of the platform + // component using the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that will consume a client configuration. + // componentNamespace is a required field that specifies the namespace in which the + // platform component using the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // currentOIDCClients is a list of clients that the component is currently using. + // currentOIDCClients is an optional list of clients that the component is currently using. + // Entries must have unique issuerURL/clientID pairs. // // +listType=map // +listMapKey=issuerURL // +listMapKey=clientID + // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is a slice of ServiceAccounts that need to have read - // permission on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring + // read permissions on the `clientSecret` secret. + // + // consumingUsers must not exceed 5 entries. // // +kubebuilder:validation:MaxItems=5 // +listType=set + // +optional ConsumingUsers []ConsumingUser `json:"consumingUsers"` // conditions are used to communicate the state of the `oidcClients` entry. @@ -343,24 +568,36 @@ type OIDCClientStatus struct { // // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } +// OIDCClientReference is a reference to a platform component +// client configuration. type OIDCClientReference struct { - // OIDCName refers to the `name` of the provider from `oidcProviders` + // oidcProviderName is a required reference to the 'name' of the identity provider + // configured in 'oidcProviders' that this client is associated with. + // + // oidcProviderName must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required OIDCProviderName string `json:"oidcProviderName"` - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that specifies the URL of the identity + // provider that this client is configured to make requests against. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required IssuerURL string `json:"issuerURL"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that specifies the client identifier, from + // the identity provider, that the platform component is using for authentication + // requests made to the identity provider. + // + // clientID must not be empty. // // +kubebuilder:validation:MinLength=1 // +required @@ -368,35 +605,52 @@ type OIDCClientReference struct { } // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" +// +union type UsernameClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefixPolicy specifies how a prefix should apply. + // prefixPolicy is an optional field that configures how a prefix should be + // applied to the value of the JWT claim specified in the 'claim' field. + // + // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // By default, claims other than `email` will be prefixed with the issuer URL to - // prevent naming clashes with other plugins. + // When set to 'Prefix', the value specified in the prefix field will be + // prepended to the value of the JWT claim. + // The prefix field must be set when prefixPolicy is 'Prefix'. // - // Set to "NoPrefix" to disable prefixing. + // When set to 'NoPrefix', no prefix will be prepended to the value + // of the JWT claim. // - // Example: - // (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - // If the JWT claim `username` contains value `userA`, the resulting - // mapped value will be "myoidc:userA". - // (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - // JWT `email` claim contains value "userA@myoidc.tld", the resulting - // mapped value will be "myoidc:userA@myoidc.tld". - // (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - // and `claim` is set to: - // (a) "username": the mapped value will be "https://myoidc.tld#userA" - // (b) "email": the mapped value will be "userA@myoidc.tld" + // When omitted, this means no opinion and the platform is left to choose + // any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + // when the claim is not 'email'. + // As an example, consider the following scenario: + // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + // and `claim` is set to: + // - "username": the mapped value will be "https://myoidc.tld#userA" + // - "email": the mapped value will be "userA@myoidc.tld" // // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} + // +optional + // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` + // prefix configures the prefix that should be prepended to the value + // of the JWT claim. + // + // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + // + // +optional + // +unionMember Prefix *UsernamePrefix `json:"prefix"` } +// UsernamePrefixPolicy configures how prefixes should be applied +// to values extracted from the JWT claims during the process of mapping +// JWT claims to cluster identity attributes. +// +enum type UsernamePrefixPolicy string var ( @@ -411,26 +665,42 @@ var ( Prefix UsernamePrefixPolicy = "Prefix" ) +// UsernamePrefix configures the string that should +// be used as a prefix for username claim mappings. type UsernamePrefix struct { + // prefixString is a required field that configures the prefix that will + // be applied to cluster identity username attribute + // during the process of mapping JWT claims to cluster identity attributes. + // + // prefixString must not be an empty string (""). + // // +kubebuilder:validation:MinLength=1 // +required PrefixString string `json:"prefixString"` } +// PrefixedClaimMapping configures a claim mapping +// that allows for an optional prefix. type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is a string to prefix the value from the token in the result of the - // claim mapping. + // prefix is an optional field that configures the prefix that will be + // applied to the cluster identity attribute during the process of mapping + // JWT claims to cluster identity attributes. // - // By default, no prefixing occurs. + // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains // an array of strings "a", "b" and "c", the mapping will result in an // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // + // +optional Prefix string `json:"prefix"` } +// TokenValidationRuleType represents the different +// claim validation rule types that can be configured. +// +enum type TokenValidationRuleType string const ( @@ -438,26 +708,45 @@ const ( ) type TokenClaimValidationRule struct { - // type sets the type of the validation rule + // type is an optional field that configures the type of the validation rule. + // + // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + // + // When set to 'RequiredClaim', the Kubernetes API server + // will be configured to validate that the incoming JWT + // contains the required claim and that its value matches + // the required value. + // + // Defaults to 'RequiredClaim'. // // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` - // requiredClaim allows configuring a required claim name and its expected - // value + // requiredClaim is an optional field that configures the required claim + // and value that the Kubernetes API server will use to validate if an incoming + // JWT is valid for this identity provider. + // + // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` } type TokenRequiredClaim struct { - // claim is a name of a required claim. Only claims with string values are - // supported. + // claim is a required field that configures the name of the required claim. + // When taken from the JWT claims, claim must be a string value. + // + // claim must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Claim string `json:"claim"` - // requiredValue is the required value for the claim. + // requiredValue is a required field that configures the value that 'claim' must + // have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token + // will be rejected for authentication. + // + // requiredValue must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go index 4a682364..a447adb9 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go @@ -53,6 +53,8 @@ type ClusterOperatorStatus struct { // conditions describes the state of the operator's managed and monitored components. // +patchMergeKey=type // +patchStrategy=merge + // +listType=map + // +listMapKey=type // +optional Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 8994ca97..092bebff 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -62,7 +62,7 @@ type ClusterVersionSpec struct { // // Some of the fields are inter-related with restrictions and meanings described here. // 1. image is specified, version is specified, architecture is specified. API validation error. - // 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + // 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. // 3. image is specified, version is not specified, architecture is specified. API validation error. // 4. image is specified, version is not specified, architecture is not specified. image is used. // 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -702,16 +702,16 @@ type Update struct { Architecture ClusterVersionArchitecture `json:"architecture"` // version is a semantic version identifying the update version. - // version is ignored if image is specified and required if - // architecture is specified. + // version is required if architecture is specified. + // If both version and image are set, the version extracted from the referenced image must match the specified version. // // +optional Version string `json:"version"` // image is a container image location that contains the update. // image should be used when the desired version does not exist in availableUpdates or history. - // When image is set, version is ignored. When image is set, version should be empty. // When image is set, architecture cannot be specified. + // If both version and image are set, the version extracted from the referenced image must match the specified version. // // +optional Image string `json:"image"` @@ -796,11 +796,10 @@ type ConditionalUpdate struct { // conditions represents the observations of the conditional update's // current status. Known types are: // * Recommended, for whether the update is recommended for the current cluster. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ConditionalUpdateRisk represents a reason and cluster-state diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 81bc14f2..0709a75a 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -99,6 +99,7 @@ type FeatureGateStatus struct { // Known .status.conditions.type are: "DeterminationDegraded" // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion. diff --git a/vendor/github.com/openshift/api/config/v1/types_image.go b/vendor/github.com/openshift/api/config/v1/types_image.go index 3db935c7..82f46c8b 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image.go +++ b/vendor/github.com/openshift/api/config/v1/types_image.go @@ -161,6 +161,8 @@ type RegistryLocation struct { } // RegistrySources holds cluster-wide information about how to handle the registries config. +// +// +kubebuilder:validation:XValidation:rule="has(self.blockedRegistries) ? !has(self.allowedRegistries) : true",message="Only one of blockedRegistries or allowedRegistries may be set" type RegistrySources struct { // insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections. // +optional diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 0293603d..ffb0f3f6 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -100,6 +100,8 @@ type InfrastructureStatus struct { // +kubebuilder:default=HighlyAvailable // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=HighlyAvailable;SingleReplica;External // +openshift:validation:FeatureGateAwareEnum:featureGate=HighlyAvailableArbiter,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;External + // +openshift:validation:FeatureGateAwareEnum:featureGate=DualReplica,enum=HighlyAvailable;SingleReplica;DualReplica;External + // +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=HighlyAvailableArbiter;DualReplica,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;DualReplica;External ControlPlaneTopology TopologyMode `json:"controlPlaneTopology"` // infrastructureTopology expresses the expectations for infrastructure services that do not run on control @@ -142,6 +144,9 @@ const ( // "SingleReplica" is for operators to avoid spending resources for high-availability purpose. SingleReplicaTopologyMode TopologyMode = "SingleReplica" + // "DualReplica" is for operators to configure for two node topology. + DualReplicaTopologyMode TopologyMode = "DualReplica" + // "External" indicates that the component is running externally to the cluster. When specified // as the control plane topology, operators should avoid scheduling workloads to masters or assume // that any of the control plane components such as kubernetes API server or etcd are visible within @@ -528,18 +533,22 @@ type AWSPlatformStatus struct { // AWSResourceTag is a tag to apply to AWS resources created for the cluster. type AWSResourceTag struct { - // key is the key of the tag + // key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + // Key should consist of between 1 and 128 characters, and may + // contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=128 - // +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$` + // +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag key. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" // +required Key string `json:"key"` - // value is the value of the tag. + // value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + // Value should consist of between 1 and 256 characters, and may + // contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. // Some AWS service do not support empty values. Since tags are added to resources in many services, the // length of the tag value must meet the requirements of all services. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 - // +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$` + // +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" // +required Value string `json:"value"` } @@ -620,6 +629,66 @@ const ( AzureStackCloud AzureCloudEnvironment = "AzureStackCloud" ) +// GCPServiceEndpointName is the name of the GCP Service Endpoint. +// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage +type GCPServiceEndpointName string + +const ( + // GCPServiceEndpointNameCompute is the name used for the GCP Compute Service endpoint. + GCPServiceEndpointNameCompute GCPServiceEndpointName = "Compute" + + // GCPServiceEndpointNameContainer is the name used for the GCP Container Service endpoint. + GCPServiceEndpointNameContainer GCPServiceEndpointName = "Container" + + // GCPServiceEndpointNameCloudResource is the name used for the GCP Resource Manager Service endpoint. + GCPServiceEndpointNameCloudResource GCPServiceEndpointName = "CloudResourceManager" + + // GCPServiceEndpointNameDNS is the name used for the GCP DNS Service endpoint. + GCPServiceEndpointNameDNS GCPServiceEndpointName = "DNS" + + // GCPServiceEndpointNameFile is the name used for the GCP File Service endpoint. + GCPServiceEndpointNameFile GCPServiceEndpointName = "File" + + // GCPServiceEndpointNameIAM is the name used for the GCP IAM Service endpoint. + GCPServiceEndpointNameIAM GCPServiceEndpointName = "IAM" + + // GCPServiceEndpointNameServiceUsage is the name used for the GCP Service Usage Service endpoint. + GCPServiceEndpointNameServiceUsage GCPServiceEndpointName = "ServiceUsage" + + // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. + GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" +) + +// GCPServiceEndpoint store the configuration of a custom url to +// override existing defaults of GCP Services. +type GCPServiceEndpoint struct { + // name is the name of the GCP service whose endpoint is being overridden. + // This must be provided and cannot be empty. + // + // Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, + // Storage, and TagManager. + // + // As an example, when setting the name to Compute all requests made by the caller to the GCP Compute + // Service will be directed to the endpoint specified in the url field. + // + // +required + Name GCPServiceEndpointName `json:"name"` + + // url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified + // in the name field. + // url is required, must use the scheme https, must not be more than 253 characters in length, + // and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) + // + // An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" + // + // +required + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL" + // +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"https\") : true",message="scheme must be https" + // +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath() == \"\" || url(self).getEscapedPath() == \"/\"",message="url must consist only of a scheme and domain. The url path must be empty." + URL string `json:"url"` +} + // GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. // This only includes fields that can be modified in the cluster. type GCPPlatformSpec struct{} @@ -675,6 +744,19 @@ type GCPPlatformStatus struct { // +optional // +nullable CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` + + // serviceEndpoints specifies endpoints that override the default endpoints + // used when creating clients to interact with GCP services. + // When not specified, the default endpoint for the GCP region will be used. + // Only 1 endpoint override is permitted for each GCP service. + // The maximum number of endpoint overrides allowed is 9. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" + // +optional + // +openshift:enable:FeatureGate=GCPCustomAPIEndpoints + ServiceEndpoints []GCPServiceEndpoint `json:"serviceEndpoints,omitempty"` } // GCPResourceLabel is a label to apply to GCP resources created for the cluster. @@ -923,7 +1005,6 @@ type BareMetalPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1137,7 +1218,6 @@ type OvirtPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *OvirtPlatformLoadBalancer `json:"loadBalancer,omitempty"` } @@ -1307,7 +1387,6 @@ type VSpherePlatformTopology struct { // VSpherePlatformFailureDomainSpec. // For example, for zone=zonea, region=region1, and infrastructure name=test, // the template path would be calculated as //vm/test-rhcos-region1-zonea. - // +openshift:enable:FeatureGate=VSphereControlPlaneMachineSet // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=2048 // +kubebuilder:validation:Pattern=`^/.*?/vm/.*?` @@ -1475,8 +1554,7 @@ type VSpherePlatformSpec struct { // + If VCenters is not defined use the existing cloud-config configmap defined // + in openshift-config. // +kubebuilder:validation:MinItems=0 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate=VSphereMultiVCenters,maxItems=3 + // +kubebuilder:validation:MaxItems=3 // +kubebuilder:validation:XValidation:rule="size(self) != size(oldSelf) ? size(oldSelf) == 0 && size(self) < 2 : true",message="vcenters cannot be added or removed once set" // +listType=atomic // +optional @@ -1588,7 +1666,6 @@ type VSpherePlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1615,17 +1692,35 @@ type IBMCloudServiceEndpoint struct { // url is fully qualified URI with scheme https, that overrides the default generated // endpoint for a client. - // This must be provided and cannot be empty. + // This must be provided and cannot be empty. The path must follow the pattern + // /v[0,9]+ or /api/v[0,9]+ // // +required // +kubebuilder:validation:Type=string + // +kubebuilder:validation:MaxLength=300 // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" + // +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule="url(self).getScheme() == \"https\"",message="url must use https scheme" + // +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule=`matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$')`,message="url path must match /v[0,9]+ or /api/v[0,9]+" URL string `json:"url"` } // IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. // This only includes fields that can be modified in the cluster. -type IBMCloudPlatformSpec struct{} +type IBMCloudPlatformSpec struct { + // serviceEndpoints is a list of custom endpoints which will override the default + // service endpoints of an IBM service. These endpoints are used by components + // within the cluster when trying to reach the IBM Cloud Services that have been + // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + // are updated to reflect the same custom endpoints. + // A maximum of 13 service endpoints overrides are supported. + // +kubebuilder:validation:MaxItems=13 + // +listType=map + // +listMapKey=name + // +optional + // +openshift:enable:FeatureGate=DyanmicServiceEndpointIBMCloud + ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"` +} // IBMCloudPlatformStatus holds the current status of the IBMCloud infrastructure provider. type IBMCloudPlatformStatus struct { @@ -1647,8 +1742,12 @@ type IBMCloudPlatformStatus struct { DNSInstanceCRN string `json:"dnsInstanceCRN,omitempty"` // serviceEndpoints is a list of custom endpoints which will override the default - // service endpoints of an IBM Cloud service. These endpoints are consumed by - // components within the cluster to reach the respective IBM Cloud Services. + // service endpoints of an IBM service. These endpoints are used by components + // within the cluster when trying to reach the IBM Cloud Services that have been + // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + // are updated to reflect the same custom endpoints. + // +openshift:validation:FeatureGateAwareMaxItems:featureGate=DyanmicServiceEndpointIBMCloud,maxItems=13 // +listType=map // +listMapKey=name // +optional @@ -1984,7 +2083,6 @@ type NutanixPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *NutanixPlatformLoadBalancer `json:"loadBalancer,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go new file mode 100644 index 00000000..3293204f --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go @@ -0,0 +1,55 @@ +package v1 + +// KMSConfig defines the configuration for the KMS instance +// that will be used with KMSEncryptionProvider encryption +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" +// +union +type KMSConfig struct { + // type defines the kind of platform for the KMS provider. + // Available provider types are AWS only. + // + // +unionDiscriminator + // +required + Type KMSProviderType `json:"type"` + + // aws defines the key config for using an AWS KMS instance + // for the encryption. The AWS KMS instance is managed + // by the user outside the purview of the control plane. + // + // +unionMember + // +optional + AWS *AWSKMSConfig `json:"aws,omitempty"` +} + +// AWSKMSConfig defines the KMS config specific to AWS KMS provider +type AWSKMSConfig struct { + // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + // The value must adhere to the format `arn:aws:kms:::key/`, where: + // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + // - `` is a 12-digit numeric identifier for the AWS account. + // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + // + // +kubebuilder:validation:MaxLength=128 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." + // +required + KeyARN string `json:"keyARN"` + // region specifies the AWS region where the KMS instance exists, and follows the format + // `--`, e.g.: `us-east-1`. + // Only lowercase letters and hyphens followed by numbers are allowed. + // + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + // +required + Region string `json:"region"` +} + +// KMSProviderType is a specific supported KMS provider +// +kubebuilder:validation:Enum=AWS +type KMSProviderType string + +const ( + // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + AWSKMSProvider KMSProviderType = "AWS" +) diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go index 95e55a7f..41dc2eb9 100644 --- a/vendor/github.com/openshift/api/config/v1/types_network.go +++ b/vendor/github.com/openshift/api/config/v1/types_network.go @@ -112,12 +112,10 @@ type NetworkStatus struct { // conditions represents the observations of a network.config current state. // Known .status.conditions.type are: "NetworkDiagnosticsAvailable" // +optional - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +openshift:enable:FeatureGate=NetworkDiagnosticsConfig - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go index 3fc7bc0c..1282f331 100644 --- a/vendor/github.com/openshift/api/config/v1/types_node.go +++ b/vendor/github.com/openshift/api/config/v1/types_node.go @@ -68,22 +68,20 @@ type NodeSpec struct { type NodeStatus struct { // conditions contain the details and the current state of the nodes.config object - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } -// +kubebuilder:validation:Enum=v1;v2;"" +// +kubebuilder:validation:Enum=v2;"" type CgroupMode string const ( CgroupModeEmpty CgroupMode = "" // Empty string indicates to honor user set value on the system that should not be overridden by OpenShift CgroupModeV1 CgroupMode = "v1" CgroupModeV2 CgroupMode = "v2" - CgroupModeDefault CgroupMode = CgroupModeV1 + CgroupModeDefault CgroupMode = CgroupModeV2 ) // +kubebuilder:validation:Enum=Default;MediumUpdateAverageReaction;LowUpdateSlowReaction diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index b013d459..38aa2f6f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 @@ -42,6 +42,11 @@ func (in *APIServer) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { *out = *in + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfig) + (*in).DeepCopyInto(*out) + } return } @@ -143,7 +148,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - out.Encryption = in.Encryption + in.Encryption.DeepCopyInto(&out.Encryption) if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile *out = new(TLSSecurityProfile) @@ -211,6 +216,22 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. +func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { + if in == nil { + return nil + } + out := new(AWSKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -2000,6 +2021,22 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping. +func (in *ExtraMapping) DeepCopy() *ExtraMapping { + if in == nil { + return nil + } + out := new(ExtraMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FeatureGate) DeepCopyInto(out *FeatureGate) { *out = *in @@ -2226,6 +2263,11 @@ func (in *GCPPlatformStatus) DeepCopyInto(out *GCPPlatformStatus) { *out = new(CloudLoadBalancerConfig) (*in).DeepCopyInto(*out) } + if in.ServiceEndpoints != nil { + in, out := &in.ServiceEndpoints, &out.ServiceEndpoints + *out = make([]GCPServiceEndpoint, len(*in)) + copy(*out, *in) + } return } @@ -2271,6 +2313,22 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GCPServiceEndpoint) DeepCopyInto(out *GCPServiceEndpoint) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPServiceEndpoint. +func (in *GCPServiceEndpoint) DeepCopy() *GCPServiceEndpoint { + if in == nil { + return nil + } + out := new(GCPServiceEndpoint) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) { *out = *in @@ -2450,6 +2508,11 @@ func (in *HubSourceStatus) DeepCopy() *HubSourceStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IBMCloudPlatformSpec) DeepCopyInto(out *IBMCloudPlatformSpec) { *out = *in + if in.ServiceEndpoints != nil { + in, out := &in.ServiceEndpoints, &out.ServiceEndpoints + *out = make([]IBMCloudServiceEndpoint, len(*in)) + copy(*out, *in) + } return } @@ -3279,6 +3342,27 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { + *out = *in + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AWSKMSConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig. +func (in *KMSConfig) DeepCopy() *KMSConfig { + if in == nil { + return nil + } + out := new(KMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in @@ -4689,7 +4773,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.IBMCloud != nil { in, out := &in.IBMCloud, &out.IBMCloud *out = new(IBMCloudPlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.Kubevirt != nil { in, out := &in.Kubevirt, &out.Kubevirt @@ -5659,6 +5743,16 @@ func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings) { *out = *in in.Username.DeepCopyInto(&out.Username) out.Groups = in.Groups + if in.UID != nil { + in, out := &in.UID, &out.UID + *out = new(TokenClaimOrExpressionMapping) + **out = **in + } + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make([]ExtraMapping, len(*in)) + copy(*out, *in) + } return } @@ -5672,6 +5766,22 @@ func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenClaimOrExpressionMapping) DeepCopyInto(out *TokenClaimOrExpressionMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimOrExpressionMapping. +func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMapping { + if in == nil { + return nil + } + out := new(TokenClaimOrExpressionMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 78fd36f3..a681631c 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ apiservers.config.openshift.io: CRDName: apiservers.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -29,6 +30,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCWithUIDAndExtraClaimMappings FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -312,15 +314,16 @@ infrastructures.config.openshift.io: Category: "" FeatureGates: - AWSClusterHostedDNS - - BareMetalLoadBalancer + - DualReplica + - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNS + - GCPCustomAPIEndpoints - GCPLabelsTags - HighlyAvailableArbiter + - HighlyAvailableArbiter+DualReplica - NutanixMultiSubnets - - VSphereControlPlaneMachineSet - VSphereHostVMGroupZonal - VSphereMultiNetworks - - VSphereMultiVCenters FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 0ac9c7cc..002ea77f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -277,7 +277,9 @@ func (APIServer) SwaggerDoc() map[string]string { } var map_APIServerEncryption = map[string]string{ + "": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", + "kms": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", } func (APIServerEncryption) SwaggerDoc() map[string]string { @@ -394,12 +396,23 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExtraMapping = map[string]string{ + "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", + "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", + "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", +} + +func (ExtraMapping) SwaggerDoc() map[string]string { + return map_ExtraMapping +} + var map_OIDCClientConfig = map[string]string{ - "componentName": "componentName is the name of the component that is supposed to consume this client configuration", - "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", - "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", - "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -407,9 +420,10 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "": "OIDCClientReference is a reference to a platform component client configuration.", + "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -417,10 +431,11 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "componentName": "componentName is the name of the component that will consume a client configuration.", - "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", - "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", - "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -429,11 +444,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name of the OIDC provider", - "issuer": "issuer describes atributes of the OIDC token issuer", - "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", - "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", - "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is an optional field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -441,7 +456,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -449,7 +465,8 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "claim": "claim is a JWT token claim to be used in the mapping", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -457,17 +474,29 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", - "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "username": "username is an optional field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { return map_TokenClaimMappings } +var map_TokenClaimOrExpressionMapping = map[string]string{ + "": "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.", + "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", +} + +func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { + return map_TokenClaimOrExpressionMapping +} + var map_TokenClaimValidationRule = map[string]string{ - "type": "type sets the type of the validation rule", - "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -475,9 +504,9 @@ func (TokenClaimValidationRule) SwaggerDoc() map[string]string { } var map_TokenIssuer = map[string]string{ - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", - "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nissuerURL must use the 'https' scheme.", + "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -485,8 +514,8 @@ func (TokenIssuer) SwaggerDoc() map[string]string { } var map_TokenRequiredClaim = map[string]string{ - "claim": "claim is a name of a required claim. Only claims with string values are supported.", - "requiredValue": "requiredValue is the required value for the claim.", + "claim": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { @@ -494,13 +523,23 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } func (UsernameClaimMapping) SwaggerDoc() map[string]string { return map_UsernameClaimMapping } +var map_UsernamePrefix = map[string]string{ + "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +} + +func (UsernamePrefix) SwaggerDoc() map[string]string { + return map_UsernamePrefix +} + var map_WebhookTokenAuthenticator = map[string]string{ "": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.", @@ -698,7 +737,7 @@ func (ClusterVersionList) SwaggerDoc() map[string]string { var map_ClusterVersionSpec = map[string]string{ "": "ClusterVersionSpec is the desired version state of the cluster. It includes the version the cluster should be at, how the cluster is identified, and where the cluster should look for version updates.", "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", - "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", + "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", @@ -797,8 +836,8 @@ func (SignatureStore) SwaggerDoc() map[string]string { var map_Update = map[string]string{ "": "Update represents an administrator update request.", "architecture": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", - "version": "version is a semantic version identifying the update version. version is ignored if image is specified and required if architecture is specified.", - "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified.", + "version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", + "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "force": "force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.", } @@ -1198,8 +1237,8 @@ func (AWSPlatformStatus) SwaggerDoc() map[string]string { var map_AWSResourceTag = map[string]string{ "": "AWSResourceTag is a tag to apply to AWS resources created for the cluster.", - "key": "key is the key of the tag", - "value": "value is the value of the tag. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services.", + "key": "key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. Key should consist of between 1 and 128 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.", + "value": "value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. Value should consist of between 1 and 256 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services.", } func (AWSResourceTag) SwaggerDoc() map[string]string { @@ -1392,6 +1431,7 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", + "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1419,8 +1459,19 @@ func (GCPResourceTag) SwaggerDoc() map[string]string { return map_GCPResourceTag } +var map_GCPServiceEndpoint = map[string]string{ + "": "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.", + "name": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.", + "url": "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"", +} + +func (GCPServiceEndpoint) SwaggerDoc() map[string]string { + return map_GCPServiceEndpoint +} + var map_IBMCloudPlatformSpec = map[string]string{ - "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", + "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", } func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string { @@ -1434,7 +1485,7 @@ var map_IBMCloudPlatformStatus = map[string]string{ "providerType": "providerType indicates the type of cluster that was created", "cisInstanceCRN": "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain", "dnsInstanceCRN": "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM Cloud service. These endpoints are consumed by components within the cluster to reach the respective IBM Cloud Services.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", } func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { @@ -1444,7 +1495,7 @@ func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { var map_IBMCloudServiceEndpoint = map[string]string{ "": "IBMCloudServiceEndpoint stores the configuration of a custom url to override existing defaults of IBM Cloud Services.", "name": "name is the name of the IBM Cloud service. Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. For example, the IBM Cloud Private IAM service could be configured with the service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`", - "url": "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.", + "url": "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty. The path must follow the pattern /v[0,9]+ or /api/v[0,9]+", } func (IBMCloudServiceEndpoint) SwaggerDoc() map[string]string { @@ -1962,6 +2013,26 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } +var map_AWSKMSConfig = map[string]string{ + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", +} + +func (AWSKMSConfig) SwaggerDoc() map[string]string { + return map_AWSKMSConfig +} + +var map_KMSConfig = map[string]string{ + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", +} + +func (KMSConfig) SwaggerDoc() map[string]string { + return map_KMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index 5eaeeea7..107b9e29 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -59,6 +59,7 @@ type ClusterImagePolicyStatus struct { // conditions provide details on the status of this API Resource. // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 7f57d88f..5ffeac40 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -73,10 +73,12 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + // "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` @@ -88,14 +90,20 @@ type PolicyRootOfTrust struct { // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + // +optional + // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI + PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( PublicKeyRootOfTrust PolicyType = "PublicKey" FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" + PKIRootOfTrust PolicyType = "PKI" ) // PublicKey defines the root of trust based on a sigstore public key. @@ -143,6 +151,48 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } +// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type PKI struct { + // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + CertificateAuthorityRootsData []byte `json:"caRootsData"` + // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + // caIntermediatesData requires caRootsData to be set. + // +optional + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + // +kubebuilder:validation:MaxLength=8192 + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + + // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. + // +required + PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"` +} + +// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. +// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI +type PKICertificateSubject struct { + // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + // The email should be a valid email address and at most 320 characters in length. + // +optional + // +kubebuilder:validation:MaxLength:=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" + Email string `json:"email,omitempty"` + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + // The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + // It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + // +optional + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + Hostname string `json:"hostname,omitempty"` +} + // PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go index 3ae4de15..46666ae3 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go @@ -32,33 +32,97 @@ type InsightsDataGather struct { } type InsightsDataGatherSpec struct { - // gatherConfig spec attribute includes all the configuration options related to - // gathering of the Insights data and its uploading to the ingress. + // gatherConfig spec attribute includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. // +optional GatherConfig GatherConfig `json:"gatherConfig,omitempty"` } -type InsightsDataGatherStatus struct { -} +type InsightsDataGatherStatus struct{} // gatherConfig provides data gathering configuration options. type GatherConfig struct { - // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain - // in the Insights archive data. Valid values are "None" and "ObfuscateNetworking". + // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. + // Valid values are "None" and "ObfuscateNetworking". // When set to None the data is not obfuscated. // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The current default is None. // +optional DataPolicy DataPolicy `json:"dataPolicy,omitempty"` // disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing "all" value. // If all the gatherers are disabled, the Insights operator does not gather any data. + // The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. + // Gatherer consists of a lowercase letters only that may include underscores (_). + // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. // Run the following command to get the names of last active gatherers: // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" // An example of disabling gatherers looks like this: `disabledGatherers: ["clusterconfig/machine_configs", "workloads/workload_info"]` + // +kubebuilder:validation:MaxItems=100 + // +optional + DisabledGatherers []DisabledGatherer `json:"disabledGatherers"` + // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + // If omitted, the gathering job will use ephemeral storage. + // +optional + StorageSpec *Storage `json:"storage,omitempty"` +} + +// disabledGatherer is a string that represents a gatherer that should be disabled +// +kubebuilder:validation:MaxLength=256 +// +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`disabledGatherer must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` +type DisabledGatherer string + +// storage provides persistent storage configuration options for gathering jobs. +// If the type is set to PersistentVolume, then the PersistentVolume must be defined. +// If the type is set to Ephemeral, then the PersistentVolume must not be defined. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" +type Storage struct { + // type is a required field that specifies the type of storage that will be used to store the Insights data archive. + // Valid values are "PersistentVolume" and "Ephemeral". + // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + // +required + Type StorageType `json:"type"` + // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + // The PersistentVolume must be created in the openshift-insights namespace. // +optional - DisabledGatherers []string `json:"disabledGatherers"` + PersistentVolume *PersistentVolumeConfig `json:"persistentVolume,omitempty"` +} + +// storageType declares valid storage types +// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral +type StorageType string + +const ( + // StorageTypePersistentVolume storage type + StorageTypePersistentVolume StorageType = "PersistentVolume" + // StorageTypeEphemeral storage type + StorageTypeEphemeral StorageType = "Ephemeral" +) + +// persistentVolumeConfig provides configuration options for PersistentVolume storage. +type PersistentVolumeConfig struct { + // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + // The PersistentVolumeClaim must be created in the openshift-insights namespace. + // +required + Claim PersistentVolumeClaimReference `json:"claim"` + // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default mount path is /var/lib/insights-operator + // The path may not exceed 1024 characters and must not contain a colon. + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" + // +optional + MountPath string `json:"mountPath,omitempty"` +} + +// persistentVolumeClaimReference is a reference to a PersistentVolumeClaim. +type PersistentVolumeClaimReference struct { + // name is a string that follows the DNS1123 subdomain format. + // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +kubebuilder:validation:MaxLength:=253 + // +required + Name string `json:"name"` } const ( diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 8e22e2d2..b605ffcf 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 @@ -353,9 +353,14 @@ func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in if in.DisabledGatherers != nil { in, out := &in.DisabledGatherers, &out.DisabledGatherers - *out = make([]string, len(*in)) + *out = make([]DisabledGatherer, len(*in)) copy(*out, *in) } + if in.StorageSpec != nil { + in, out := &in.StorageSpec, &out.StorageSpec + *out = new(Storage) + (*in).DeepCopyInto(*out) + } return } @@ -569,6 +574,82 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. +func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { + if in == nil { + return nil + } + out := new(PersistentVolumeClaimReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { + *out = *in + out.Claim = in.Claim + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. +func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { + if in == nil { + return nil + } + out := new(PersistentVolumeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Policy) DeepCopyInto(out *Policy) { *out = *in @@ -674,6 +755,11 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = new(FulcioCAWithRekor) (*in).DeepCopyInto(*out) } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } return } @@ -771,6 +857,27 @@ func (in *RetentionSizeConfig) DeepCopy() *RetentionSizeConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Storage) DeepCopyInto(out *Storage) { + *out = *in + if in.PersistentVolume != nil { + in, out := &in.PersistentVolume, &out.PersistentVolume + *out = new(PersistentVolumeConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. +func (in *Storage) DeepCopy() *Storage { + if in == nil { + return nil + } + out := new(Storage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserDefinedMonitoring) DeepCopyInto(out *UserDefinedMonitoring) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 1d4a88d5..b9dca71a 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -29,6 +29,7 @@ clusterimagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -76,6 +77,7 @@ imagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 92ae6cc7..3b145db6 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -214,6 +214,27 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + var map_Policy = map[string]string{ "": "Policy defines the verification policy for the items in the scopes list.", "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", @@ -264,9 +285,10 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "publicKey": "publicKey defines the root of trust based on a sigstore public key.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", } func (PolicyRootOfTrust) SwaggerDoc() map[string]string { @@ -285,8 +307,9 @@ func (PublicKey) SwaggerDoc() map[string]string { var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", - "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is None.", - "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", } func (GatherConfig) SwaggerDoc() map[string]string { @@ -321,4 +344,33 @@ func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { return map_InsightsDataGatherSpec } +var map_PersistentVolumeClaimReference = map[string]string{ + "": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + "name": "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", +} + +func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { + return map_PersistentVolumeClaimReference +} + +var map_PersistentVolumeConfig = map[string]string{ + "": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", + "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", +} + +func (PersistentVolumeConfig) SwaggerDoc() map[string]string { + return map_PersistentVolumeConfig +} + +var map_Storage = map[string]string{ + "": "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", + "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", +} + +func (Storage) SwaggerDoc() map[string]string { + return map_Storage +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index e23a4b61..d786805b 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -40,16 +40,16 @@ var ( reportProblemsToJiraComponent("Management Console"). contactPerson("jhadvig"). productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enhancementPR("https://github.com/openshift/enhancements/pull/1706"). mustRegister() FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). - contactPerson("stlaz"). + contactPerson("ibihim"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateValidatingAdmissionPolicy = newFeatureGate("ValidatingAdmissionPolicy"). @@ -65,7 +65,7 @@ var ( contactPerson("miciah"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateSetEIPForNLBIngressController = newFeatureGate("SetEIPForNLBIngressController"). @@ -100,14 +100,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMachineAPIProviderOpenStack = newFeatureGate("MachineAPIProviderOpenStack"). - reportProblemsToJiraComponent("openstack"). - contactPerson("egarcia"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfigAPI = newFeatureGate("InsightsConfigAPI"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -140,6 +132,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). + reportProblemsToJiraComponent("installer"). + contactPerson("rvanderp3"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1783"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMaxUnavailableStatefulSet = newFeatureGate("MaxUnavailableStatefulSet"). reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). @@ -171,6 +171,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). + reportProblemsToJiraComponent("node"). + contactPerson("QiWang"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1658"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateGCPLabelsTags = newFeatureGate("GCPLabelsTags"). reportProblemsToJiraComponent("Installer"). contactPerson("bhb"). @@ -187,14 +195,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateCloudDualStackNodeIPs = newFeatureGate("CloudDualStackNodeIPs"). - reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). - contactPerson("mkowalsk"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). reportProblemsToJiraComponent("splat"). contactPerson("jcpowermac"). @@ -211,28 +211,12 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereMultiVCenters = newFeatureGate("VSphereMultiVCenters"). - reportProblemsToJiraComponent("splat"). - contactPerson("vr4manta"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateVSphereStaticIPs = newFeatureGate("VSphereStaticIPs"). - reportProblemsToJiraComponent("splat"). - contactPerson("rvanderp3"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). reportProblemsToJiraComponent("router"). - contactPerson("thejasn"). + contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix"). @@ -240,7 +224,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1714"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy"). @@ -255,8 +239,8 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1623"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities"). @@ -338,14 +322,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereControlPlaneMachineset = newFeatureGate("VSphereControlPlaneMachineSet"). - reportProblemsToJiraComponent("splat"). - contactPerson("rvanderp3"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes"). reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("cdoern"). @@ -401,20 +377,20 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). - reportProblemsToJiraComponent("cloud-provider"). - contactPerson("jspeed"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("rsaini"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1496"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateOnClusterBuild = newFeatureGate("OnClusterBuild"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("dkhater"). + contactPerson("cheesesashimi"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBootcNodeManagement = newFeatureGate("BootcNodeManagement"). @@ -490,6 +466,15 @@ var ( enableForClusterProfile(Hypershift, configv1.Default, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). + reportProblemsToJiraComponent("authentication"). + contactPerson("bpalmer"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1777"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). @@ -522,6 +507,38 @@ var ( enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() + FeatureGateNewOLMCatalogdAPIV1Metas = newFeatureGate("NewOLMCatalogdAPIV1Metas"). + reportProblemsToJiraComponent("olm"). + contactPerson("jordank"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1749"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMPreflightPermissionChecks = newFeatureGate("NewOLMPreflightPermissionChecks"). + reportProblemsToJiraComponent("olm"). + contactPerson("tshort"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1768"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMOwnSingleNamespace = newFeatureGate("NewOLMOwnSingleNamespace"). + reportProblemsToJiraComponent("olm"). + contactPerson("nschieder"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1774"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). + reportProblemsToJiraComponent("olm"). + contactPerson("pegoncal"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1799"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -530,14 +547,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateBareMetalLoadBalancer = newFeatureGate("BareMetalLoadBalancer"). - reportProblemsToJiraComponent("metal"). - contactPerson("EmilienM"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfig = newFeatureGate("InsightsConfig"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -559,14 +568,6 @@ var ( contactPerson("rexagod"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateVSphereDriverConfiguration = newFeatureGate("VSphereDriverConfiguration"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("rbednar"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -575,6 +576,7 @@ var ( contactPerson("cjschaef"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). @@ -590,6 +592,7 @@ var ( contactPerson("jspeed"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). @@ -608,14 +611,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMultiArchInstallAWS = newFeatureGate("MultiArchInstallAWS"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). @@ -623,14 +618,6 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). @@ -660,15 +647,18 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() + // Note: this feature is perma-alpha, but it is safe and desireable to enable. + // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33. + // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards"). reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -676,7 +666,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -684,7 +674,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -720,12 +710,15 @@ var ( mustRegister() FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter"). - reportProblemsToJiraComponent("TwoNode / Arbiter"). + reportProblemsToJiraComponent("Two Node with Arbiter"). contactPerson("eggfoobar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1674"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + // TODO: Do not go GA until jira issue is resolved: https://issues.redhat.com/browse/OCPEDGE-1637 + // Annotations must correctly handle either DualReplica or HighlyAvailableArbiter going GA with + // the other still in TechPreview. + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateCVOConfiguration = newFeatureGate("ClusterVersionOperatorConfiguration"). reportProblemsToJiraComponent("Cluster Version Operator"). @@ -734,4 +727,91 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1492"). enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + + FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). + reportProblemsToJiraComponent("Installer"). + contactPerson("barbacbd"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1492"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateDyanmicServiceEndpointIBMCloud = newFeatureGate("DyanmicServiceEndpointIBMCloud"). + reportProblemsToJiraComponent("Cloud Compute / IBM Provider"). + contactPerson("jared-hayes-dev"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1712"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateSELinuxMount = newFeatureGate("SELinuxMount"). + reportProblemsToJiraComponent("Storage / Kubernetes"). + contactPerson("jsafrane"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/1710"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGateDualReplica = newFeatureGate("DualReplica"). + reportProblemsToJiraComponent("Two Node Fencing"). + contactPerson("jaypoulz"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1675"). + // TODO: Do not go GA until jira issue is resolved: https://issues.redhat.com/browse/OCPEDGE-1637 + // Annotations must correctly handle either DualReplica or HighlyAvailableArbiter going GA with + // the other still in TechPreview. + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGateGatewayAPIController = newFeatureGate("GatewayAPIController"). + reportProblemsToJiraComponent("Routing"). + contactPerson("miciah"). + productScope(ocpSpecific). + // Previously, the "GatewayAPI" feature gate managed both the GatewayAPI CRDs + // and the Gateway Controller. However, with the introduction of Gateway CRD + // lifecycle management (EP#1756), these responsibilities were separated. + // A dedicated feature gate now controls the Gateway Controller to distinguish + // its production readiness from that of the CRDs. + enhancementPR("https://github.com/openshift/enhancements/pull/1756"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("vrutkovs"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1670"). + mustRegister() + + FeatureGateVSphereConfigurableMaxAllowedBlockVolumesPerNode = newFeatureGate("VSphereConfigurableMaxAllowedBlockVolumesPerNode"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("rbednar"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1748"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAzureMultiDisk = newFeatureGate("AzureMultiDisk"). + reportProblemsToJiraComponent("splat"). + contactPerson("jcpowermac"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1779"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAWSDedicatedHosts = newFeatureGate("AWSDedicatedHosts"). + reportProblemsToJiraComponent("Installer"). + contactPerson("faermanj"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1781"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateVSphereMixedNodeEnv = newFeatureGate("VSphereMixedNodeEnv"). + reportProblemsToJiraComponent("splat"). + contactPerson("vr4manta"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1772"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 132a3dac..2a74f8e8 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -17,8 +17,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "AzureWorkloadIdentity", // never add to this list, if you think you have an exception ask @deads2k - "BareMetalLoadBalancer", - // never add to this list, if you think you have an exception ask @deads2k "BootcNodeManagement", // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", diff --git a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go index d1396fbf..12a81967 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go @@ -224,6 +224,8 @@ type AlibabaCloudMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go index cc9c04ca..ead8b207 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go +++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go @@ -428,12 +428,10 @@ type RootVolume struct { type ControlPlaneMachineSetStatus struct { // conditions represents the observations of the ControlPlaneMachineSet's current state. // Known .status.conditions.type are: Available, Degraded and Progressing. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // observedGeneration is the most recent generation observed for this // ControlPlaneMachineSet. It corresponds to the ControlPlaneMachineSets's generation, diff --git a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go index cc1a355b..e2ddde2a 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go @@ -331,6 +331,8 @@ type NutanixMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` // vmUUID is the Machine associated VM's UUID diff --git a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go index b676a8d5..d3a4c6ec 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go @@ -170,12 +170,10 @@ type PowerVSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // instanceId is the instance ID of the machine created in PowerVS // instanceId uniquely identifies a Power VS server instance(VM) under a Power VS service. diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go index f3051438..61294ef5 100644 --- a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index b34a8788..db15df2c 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -95,6 +95,18 @@ type AWSMachineProviderConfig struct { // The field size should be greater than 0 and the field input must start with cr-*** // +optional CapacityReservationID string `json:"capacityReservationId"` + // marketType specifies the type of market for the EC2 instance. + // Valid values are OnDemand, Spot, CapacityBlock and omitted. + // + // Defaults to OnDemand. + // When SpotMarketOptions is provided, the marketType defaults to "Spot". + // + // When set to OnDemand the instance runs as a standard OnDemand instance. + // When set to Spot the instance runs as a Spot instance. + // When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. + // If this value is selected, capacityReservationID must be specified to identify the target reservation. + // +optional + MarketType MarketType `json:"marketType,omitempty"` } // BlockDeviceMappingSpec describes a block device mapping @@ -128,8 +140,10 @@ type BlockDeviceMappingSpec struct { // https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice type EBSBlockDeviceSpec struct { // Indicates whether the EBS volume is deleted on machine termination. + // + // Deprecated: setting this field has no effect. // +optional - DeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` + DeprecatedDeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes // may only be attached to machines that support Amazon EBS encryption. // +optional @@ -318,5 +332,26 @@ type AWSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } + +// MarketType describes the market type of an EC2 Instance +// +kubebuilder:validation:Enum:=OnDemand;Spot;CapacityBlock +type MarketType string + +const ( + + // MarketTypeOnDemand is a MarketType enum value + // When set to OnDemand the instance runs as a standard OnDemand instance. + MarketTypeOnDemand MarketType = "OnDemand" + + // MarketTypeSpot is a MarketType enum value + // When set to Spot the instance runs as a Spot instance. + MarketTypeSpot MarketType = "Spot" + + // MarketTypeCapacityBlock is a MarketType enum value + // When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. + MarketTypeCapacityBlock MarketType = "CapacityBlock" +) diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go index db84fa2c..760360bd 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go @@ -234,6 +234,8 @@ type AzureMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status. // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go index fc09a0c4..72a31b5b 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go @@ -63,6 +63,12 @@ const ( ConfidentialComputePolicyEnabled ConfidentialComputePolicy = "Enabled" // ConfidentialComputePolicyDisabled disables confidential compute for the GCP machine. ConfidentialComputePolicyDisabled ConfidentialComputePolicy = "Disabled" + // ConfidentialComputePolicySEV sets AMD SEV as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicySEV ConfidentialComputePolicy = "AMDEncryptedVirtualization" + // ConfidentialComputePolicySEVSNP sets AMD SEV-SNP as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicySEVSNP ConfidentialComputePolicy = "AMDEncryptedVirtualizationNestedPaging" + // ConfidentialComputePolicyTDX sets Intel TDX as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicyTDX ConfidentialComputePolicy = "IntelTrustedDomainExtensions" ) // GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field @@ -143,10 +149,21 @@ type GCPMachineProviderSpec struct { // +optional ShieldedInstanceConfig GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"` - // confidentialCompute Defines whether the instance should have confidential compute enabled. - // If enabled OnHostMaintenance is required to be set to "Terminate". - // If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. - // +kubebuilder:validation:Enum=Enabled;Disabled + // confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. + // Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions + // When set to Disabled, the machine will not be configured to be a confidential computing instance. + // When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. + // When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. + // When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. + // When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. + // If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances + // Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. + // AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. + // IntelTrustedDomainExtensions is supported in c3 machines. + // If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones + // If any value other than Disabled is set onHostMaintenance is required to be set to "Terminate". + // If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled. + // +kubebuilder:validation:Enum="";Enabled;Disabled;AMDEncryptedVirtualization;AMDEncryptedVirtualizationNestedPaging;IntelTrustedDomainExtensions // +optional ConfidentialCompute ConfidentialComputePolicy `json:"confidentialCompute,omitempty"` @@ -296,6 +313,8 @@ type GCPMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go index 3b83d10f..fe6626f7 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go @@ -198,8 +198,34 @@ type VSphereDisk struct { // +kubebuilder:validation:Maximum=16384 // +required SizeGiB int32 `json:"sizeGiB"` + // provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. + // Allowed values are "Thin", "Thick", "EagerlyZeroed", and omitted. + // When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. + // When set to Thick, the full disk size will be allocated when disk is created. + // When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. + // When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere. + // +optional + ProvisioningMode ProvisioningMode `json:"provisioningMode,omitempty"` } +// provisioningMode represents the various provisioning types available to a VMs disk. +// +kubebuilder:validation:Enum=Thin;Thick;EagerlyZeroed +type ProvisioningMode string + +const ( + // ProvisioningModeThin creates the disk using thin provisioning. This means a sparse (allocate on demand) + // format with additional space optimizations. + ProvisioningModeThin ProvisioningMode = "Thin" + + // ProvisioningModeThick creates the disk with all space allocated. + ProvisioningModeThick ProvisioningMode = "Thick" + + // ProvisioningModeEagerlyZeroed creates the disk using eager zero provisioning. An eager zeroed thick disk + // has all space allocated and wiped clean of any previous contents on the physical media at + // creation time. Such disks may take longer time during creation compared to other disk formats. + ProvisioningModeEagerlyZeroed ProvisioningMode = "EagerlyZeroed" +) + // WorkspaceConfig defines a workspace configuration for the vSphere cloud // provider. type Workspace struct { @@ -239,6 +265,9 @@ type VSphereMachineProviderStatus struct { InstanceState *string `json:"instanceState,omitempty"` // conditions is a set of conditions associated with the Machine to indicate // errors or other status + // +listType=map + // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // taskRef is a managed object reference to a Task related to the machine. // This value is set automatically at runtime and should not be set or diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml index 448bfea4..349398de 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml @@ -81,6 +81,20 @@ spec: spec: description: MachineSpec defines the desired state of Machine properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -364,6 +378,23 @@ spec: type: object type: array x-kubernetes-list-type: atomic + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' conditions: description: conditions defines the current state of the Machine items: @@ -537,7 +568,23 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml index c08ecebc..c402e33a 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml @@ -81,6 +81,20 @@ spec: spec: description: MachineSpec defines the desired state of Machine properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -364,6 +378,23 @@ spec: type: object type: array x-kubernetes-list-type: atomic + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' conditions: description: conditions defines the current state of the Machine items: @@ -537,7 +568,23 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml index 6da86259..82abfc04 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml @@ -66,6 +66,20 @@ spec: spec: description: MachineSetSpec defines the desired state of MachineSet properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string deletePolicy: description: |- deletePolicy defines the policy used to identify nodes to delete when downscaling. @@ -267,6 +281,20 @@ spec: Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -535,6 +563,23 @@ spec: status: description: MachineSetStatus defines the observed state of MachineSet properties: + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' availableReplicas: description: The number of available replicas (ready for at least minReadySeconds) for this MachineSet. @@ -630,7 +675,23 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml index 51bbf02e..c7d51256 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml @@ -66,6 +66,20 @@ spec: spec: description: MachineSetSpec defines the desired state of MachineSet properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string deletePolicy: description: |- deletePolicy defines the policy used to identify nodes to delete when downscaling. @@ -267,6 +281,20 @@ spec: Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -535,6 +563,23 @@ spec: status: description: MachineSetStatus defines the observed state of MachineSet properties: + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' availableReplicas: description: The number of available replicas (ready for at least minReadySeconds) for this MachineSet. @@ -630,7 +675,23 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index ba9aae81..7763435a 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1beta1 @@ -518,8 +518,8 @@ func (in *DiskSettings) DeepCopy() *DiskSettings { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = *in - if in.DeleteOnTermination != nil { - in, out := &in.DeleteOnTermination, &out.DeleteOnTermination + if in.DeprecatedDeleteOnTermination != nil { + in, out := &in.DeprecatedDeleteOnTermination, &out.DeprecatedDeleteOnTermination *out = new(bool) **out = **in } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 4c52b665..2667a0aa 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -33,6 +33,7 @@ var map_AWSMachineProviderConfig = map[string]string{ "placementGroupName": "placementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", "placementGroupPartition": "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", "capacityReservationId": "capacityReservationId specifies the target Capacity Reservation into which the instance should be launched. The field size should be greater than 0 and the field input must start with cr-***", + "marketType": "marketType specifies the type of market for the EC2 instance. Valid values are OnDemand, Spot, CapacityBlock and omitted.\n\nDefaults to OnDemand. When SpotMarketOptions is provided, the marketType defaults to \"Spot\".\n\nWhen set to OnDemand the instance runs as a standard OnDemand instance. When set to Spot the instance runs as a Spot instance. When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. If this value is selected, capacityReservationID must be specified to identify the target reservation.", } func (AWSMachineProviderConfig) SwaggerDoc() map[string]string { @@ -83,7 +84,7 @@ func (BlockDeviceMappingSpec) SwaggerDoc() map[string]string { var map_EBSBlockDeviceSpec = map[string]string{ "": "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", - "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.", + "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", "encrypted": "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", "kmsKey": "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", "iops": "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", @@ -444,7 +445,7 @@ var map_GCPMachineProviderSpec = map[string]string{ "onHostMaintenance": "onHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. This is required to be set to \"Terminate\" if you want to provision machine with attached GPUs. Otherwise, allowed values are \"Migrate\" and \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Migrate\".", "restartPolicy": "restartPolicy determines the behavior when an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event (default \"Always\"). Cannot be \"Always\" with preemptible instances. Otherwise, allowed values are \"Always\" and \"Never\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Always\". RestartPolicy represents AutomaticRestart in GCP compute api", "shieldedInstanceConfig": "shieldedInstanceConfig is the Shielded VM configuration for the VM", - "confidentialCompute": "confidentialCompute Defines whether the instance should have confidential compute enabled. If enabled OnHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.", + "confidentialCompute": "confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions When set to Disabled, the machine will not be configured to be a confidential computing instance. When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. IntelTrustedDomainExtensions is supported in c3 machines. If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones If any value other than Disabled is set onHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", "resourceManagerTags": "resourceManagerTags is an optional list of tags to apply to the GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", } @@ -784,9 +785,10 @@ func (NetworkSpec) SwaggerDoc() map[string]string { } var map_VSphereDisk = map[string]string{ - "": "VSphereDisk describes additional disks for vSphere.", - "name": "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", - "sizeGiB": "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + "": "VSphereDisk describes additional disks for vSphere.", + "name": "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", + "sizeGiB": "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + "provisioningMode": "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", } func (VSphereDisk) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go index 0bb0b3d0..38e4b497 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go @@ -177,43 +177,60 @@ func (r *ReconcileMachine) Reconcile(ctx context.Context, request reconcile.Requ originalConditions := conditions.DeepCopyConditions(m.Status.Conditions) if r.gate.Enabled(featuregate.Feature(openshiftfeatures.FeatureGateMachineAPIMigration)) { - // Check Status.AuthoritativeAPI - // If not MachineAPI. Set the paused condition true and return early. - // - // Once we have a webhook, we want to remove the check that the AuthoritativeAPI - // field is populated. - if m.Status.AuthoritativeAPI != "" && - m.Status.AuthoritativeAPI != machinev1.MachineAuthorityMachineAPI { - conditions.Set(m, conditions.TrueConditionWithReason( - PausedCondition, - PausedConditionReason, - "The AuthoritativeAPI is set to %s", string(m.Status.AuthoritativeAPI), - )) - if patchErr := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, originalConditions); patchErr != nil { - klog.Errorf("%v: error patching status: %v", machineName, patchErr) + switch m.Status.AuthoritativeAPI { + case "": + // An empty .status.authoritativeAPI normally means the resource has not yet been reconciled. + // and that the value in .spec.authoritativeAPI has not been propagated to .status.authoritativeAPI yet. + // This value can be set by two separate controllers, depending which one of them is running at that time, + // or in case they are both running, which one gets to set it first (the operation is idempotent so there is no harm in racing). + // - the cluster-capi-operator machine-api-migration's migration controller + // - this controller + + klog.Infof("%v: machine .status.authoritativeAPI is not yet set, setting it to .spec.authoritativeAPI", m.Name) + + if err := r.patchStatusAuthoritativeAPI(ctx, m, m.Spec.AuthoritativeAPI); err != nil { + klog.Errorf("%v: error patching status to set .status.authoritativeAPI for machine: %v", m.Name, err) + return reconcile.Result{}, fmt.Errorf("error patching status to set .status.authoritativeAPI for machine %s: %w", m.Name, err) + } + + // Return to give a chance to the changes to get propagated. + return reconcile.Result{}, nil + + case machinev1.MachineAuthorityClusterAPI, machinev1.MachineAuthorityMigrating: + // In cases when .status.authoritativeAPI is set to machinev1.MachineAuthorityClusterAPI, machinev1.MachineAuthorityMigrating + // the resource should be paused and not reconciled further. + desiredCondition := conditions.TrueConditionWithReason( + PausedCondition, PausedConditionReason, + "The AuthoritativeAPI status is set to '%s'", string(m.Status.AuthoritativeAPI), + ) + + if _, err := r.ensureUpdatedPausedCondition(ctx, m, desiredCondition, + fmt.Sprintf("%v: machine .status.authoritativeAPI is set to '%s', ensuring machine is paused", machineName, m.Status.AuthoritativeAPI)); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to ensure paused condition: %w", err) } klog.Infof("%v: machine is paused, taking no further action", machineName) + return reconcile.Result{}, nil - } - var pausedFalseReason string - if m.Status.AuthoritativeAPI != "" { - pausedFalseReason = fmt.Sprintf("The AuthoritativeAPI is set to %s", string(m.Status.AuthoritativeAPI)) - } else { - pausedFalseReason = "The AuthoritativeAPI is not set" - } + case machinev1.MachineAuthorityMachineAPI: + // The authority is MachineAPI and the resource should not be paused. + desiredCondition := conditions.FalseCondition( + PausedCondition, NotPausedConditionReason, machinev1.ConditionSeverityInfo, "%s", + fmt.Sprintf("The AuthoritativeAPI status is set to '%s'", string(m.Status.AuthoritativeAPI)), + ) + + if updated, err := r.ensureUpdatedPausedCondition(ctx, m, desiredCondition, + fmt.Sprintf("%v: machine .status.authoritativeAPI is set to '%s', unpausing machine", machineName, m.Status.AuthoritativeAPI)); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to ensure paused condition: %w", err) + } else if updated { + klog.Infof("%v: setting machine paused condition to false", machineName) + } - // Set the paused condition to false, continue reconciliation - conditions.Set(m, conditions.FalseCondition( - PausedCondition, - NotPausedConditionReason, - machinev1.ConditionSeverityInfo, - "%s", - pausedFalseReason, - )) - if patchErr := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, originalConditions); patchErr != nil { - klog.Errorf("%v: error patching status: %v", machineName, patchErr) + // Fallthrough and continue reconcilation. + default: + klog.Errorf("%v: invalid .status.authoritativeAPI '%s'", machineName, m.Status.AuthoritativeAPI) + return reconcile.Result{}, nil // Do not return an error to avoid immediate requeue. } } @@ -433,6 +450,23 @@ func (r *ReconcileMachine) deleteNode(ctx context.Context, name string) error { return r.Client.Delete(ctx, &node) } +// ensureUpdatedPausedCondition updates the paused condition if needed. +func (r *ReconcileMachine) ensureUpdatedPausedCondition(ctx context.Context, m *machinev1.Machine, desiredCondition *machinev1.Condition, logMessage string) (bool, error) { + oldM := m.DeepCopy() + if !conditions.IsEquivalentTo(conditions.Get(m, PausedCondition), desiredCondition) { + klog.Info(logMessage) + conditions.Set(m, desiredCondition) + if err := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, oldM.Status.Conditions); err != nil { + klog.Errorf("%v: error updating status: %v", oldM.Name, err) + return false, fmt.Errorf("error updating status for machine %s: %w", oldM.Name, err) + } + + return true, nil + } + + return false, nil +} + func delayIfRequeueAfterError(err error) (reconcile.Result, error) { var requeueAfterError *RequeueAfterError if errors.As(err, &requeueAfterError) { @@ -538,6 +572,17 @@ func (r *ReconcileMachine) updateStatus(ctx context.Context, machine *machinev1. return nil } +func (r *ReconcileMachine) patchStatusAuthoritativeAPI(ctx context.Context, machine *machinev1.Machine, authoritativeAPI machinev1.MachineAuthority) error { + baseToPatch := client.MergeFrom(machine.DeepCopy()) + machine.Status.AuthoritativeAPI = authoritativeAPI + + if err := r.Client.Status().Patch(ctx, machine, baseToPatch); err != nil { + return fmt.Errorf("error patching machine status: %w", err) + } + + return nil +} + func (r *ReconcileMachine) patchFailedMachineInstanceAnnotation(ctx context.Context, machine *machinev1.Machine) error { baseToPatch := client.MergeFrom(machine.DeepCopy()) if machine.Annotations == nil { diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go index d75b146d..5ada1b3c 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go @@ -75,6 +75,7 @@ func (d *machineDrainController) Reconcile(ctx context.Context, request reconcil // Error reading the object - requeue the request. return reconcile.Result{}, err } + machineCopy := m.DeepCopy() existingDrainedCondition := conditions.Get(m, machinev1.MachineDrained) alreadyDrained := existingDrainedCondition != nil && existingDrainedCondition.Status == corev1.ConditionTrue @@ -110,9 +111,9 @@ func (d *machineDrainController) Reconcile(ctx context.Context, request reconcil } conditions.Set(m, drainFinishedCondition) - // requeue request in case of failed update - if err := d.Client.Status().Update(ctx, m); err != nil { - return reconcile.Result{}, fmt.Errorf("could not update machine status: %w", err) + // requeue request in case of failed patch + if err := d.Client.Status().Patch(ctx, m, client.MergeFrom(machineCopy)); err != nil { + return reconcile.Result{}, fmt.Errorf("could not patch machine status: %w", err) } return reconcile.Result{}, nil } diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go b/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go index d2a3eafb..9a6fda8c 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go @@ -151,6 +151,20 @@ func IsFalse(from interface{}, t machinev1.ConditionType) bool { return false } +// IsEquivalentTo returns true if condition a is equivalent to condition b, +// by checking for equality of the following fields: Type, Status, Reason, Severity and Message (it excludes LastTransitionTime). +func IsEquivalentTo(a, b *machinev1.Condition) bool { + if a == nil && b == nil { + return true + } else if a == nil { + return false + } else if b == nil { + return false + } + + return hasSameState(a, b) +} + // lexicographicLess returns true if a condition is less than another with regards to the // to order of conditions designed for convenience of the consumer, i.e. kubectl. func lexicographicLess(i, j *machinev1.Condition) bool { diff --git a/vendor/go.opentelemetry.io/otel/trace/context.go b/vendor/go.opentelemetry.io/otel/trace/context.go index 5650a174..8c45a710 100644 --- a/vendor/go.opentelemetry.io/otel/trace/context.go +++ b/vendor/go.opentelemetry.io/otel/trace/context.go @@ -22,7 +22,7 @@ func ContextWithSpanContext(parent context.Context, sc SpanContext) context.Cont return ContextWithSpan(parent, nonRecordingSpan{sc: sc}) } -// ContextWithRemoteSpanContext returns a copy of parent with rsc set explicly +// ContextWithRemoteSpanContext returns a copy of parent with rsc set explicitly // as a remote SpanContext and as the current Span. The Span implementation // that wraps rsc is non-recording and performs no operations other than to // return rsc as the SpanContext from the SpanContext method. diff --git a/vendor/go.opentelemetry.io/otel/trace/doc.go b/vendor/go.opentelemetry.io/otel/trace/doc.go index d661c5d1..cdbf41d6 100644 --- a/vendor/go.opentelemetry.io/otel/trace/doc.go +++ b/vendor/go.opentelemetry.io/otel/trace/doc.go @@ -96,7 +96,7 @@ can embed the API interface directly. This option is not recommended. It will lead to publishing packages that contain runtime panics when users update to newer versions of -[go.opentelemetry.io/otel/trace], which may be done with a trasitive +[go.opentelemetry.io/otel/trace], which may be done with a transitive dependency. Finally, an author can embed another implementation in theirs. The embedded diff --git a/vendor/modules.txt b/vendor/modules.txt index d0013483..e8f34a40 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -288,7 +288,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/openshift/api v0.0.0-20250130171037-7bb8a0201a56 +# github.com/openshift/api v0.0.0-20250528100135-a463917701ab ## explicit; go 1.23.0 github.com/openshift/api/config/v1 github.com/openshift/api/config/v1alpha1 @@ -296,7 +296,7 @@ github.com/openshift/api/features github.com/openshift/api/machine/v1 github.com/openshift/api/machine/v1beta1 github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests -# github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 +# github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a ## explicit; go 1.23.0 github.com/openshift/client-go/config/applyconfigurations/config/v1 github.com/openshift/client-go/config/applyconfigurations/internal @@ -317,7 +317,7 @@ github.com/openshift/client-go/machine/listers/machine/v1beta1 github.com/openshift/library-go/pkg/config/clusterstatus github.com/openshift/library-go/pkg/config/leaderelection github.com/openshift/library-go/pkg/features -# github.com/openshift/machine-api-operator v0.2.1-0.20250203164435-b657d8bf9389 +# github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 ## explicit; go 1.23.0 github.com/openshift/machine-api-operator/pkg/controller/machine github.com/openshift/machine-api-operator/pkg/metrics @@ -376,14 +376,14 @@ go.mongodb.org/mongo-driver/bson/bsonrw go.mongodb.org/mongo-driver/bson/bsontype go.mongodb.org/mongo-driver/bson/primitive go.mongodb.org/mongo-driver/x/bsonx/bsoncore -# go.opentelemetry.io/otel v1.29.0 -## explicit; go 1.21 +# go.opentelemetry.io/otel v1.30.0 +## explicit; go 1.22 go.opentelemetry.io/otel/attribute go.opentelemetry.io/otel/codes go.opentelemetry.io/otel/internal go.opentelemetry.io/otel/internal/attribute -# go.opentelemetry.io/otel/trace v1.29.0 -## explicit; go 1.21 +# go.opentelemetry.io/otel/trace v1.30.0 +## explicit; go 1.22 go.opentelemetry.io/otel/trace go.opentelemetry.io/otel/trace/embedded # golang.org/x/crypto v0.32.0 @@ -526,7 +526,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.32.1 +# k8s.io/api v0.32.2 ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -587,7 +587,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.32.1 +# k8s.io/apiextensions-apiserver v0.32.2 ## explicit; go 1.23.0 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 @@ -598,7 +598,7 @@ k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1 -# k8s.io/apimachinery v0.32.1 +# k8s.io/apimachinery v0.32.2 ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -665,16 +665,16 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.32.1 +# k8s.io/apiserver v0.32.2 ## explicit; go 1.23.0 k8s.io/apiserver/pkg/util/feature -# k8s.io/cli-runtime v0.32.1 +# k8s.io/cli-runtime v0.32.2 ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v0.32.1 +# k8s.io/client-go v0.32.2 ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -964,7 +964,7 @@ k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/component-base v0.32.1 +# k8s.io/component-base v0.32.2 ## explicit; go 1.23.0 k8s.io/component-base/cli/flag k8s.io/component-base/featuregate @@ -996,7 +996,7 @@ k8s.io/kube-openapi/pkg/spec3 k8s.io/kube-openapi/pkg/util/proto k8s.io/kube-openapi/pkg/util/proto/validation k8s.io/kube-openapi/pkg/validation/spec -# k8s.io/kubectl v0.32.1 +# k8s.io/kubectl v0.32.2 ## explicit; go 1.23.0 k8s.io/kubectl/pkg/cmd/util k8s.io/kubectl/pkg/drain