diff --git a/go.mod b/go.mod index 299d230d..4e3cc105 100644 --- a/go.mod +++ b/go.mod @@ -10,9 +10,9 @@ require ( github.com/nutanix-cloud-native/prism-go-client v0.5.1 github.com/onsi/ginkgo/v2 v2.22.2 github.com/onsi/gomega v1.36.2 - github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e + github.com/openshift/api v0.0.0-20250528100135-a463917701ab github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 - github.com/openshift/machine-api-operator v0.2.1-0.20250331230956-c6b86e48e8fd + github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 github.com/vincent-petithory/dataurl v1.0.0 k8s.io/api v0.32.2 k8s.io/apimachinery v0.32.2 diff --git a/go.sum b/go.sum index c7c36502..40291c74 100644 --- a/go.sum +++ b/go.sum @@ -388,8 +388,8 @@ github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e h1:bEcCutNr5RLU/DudWNs/nlOLBqMxrfsHtVuMttkxvWE= -github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/openshift/api v0.0.0-20250528100135-a463917701ab h1:99AhxDrrz2M4llF0eYOCv7NMowALSzp97UN3I5MKGlo= +github.com/openshift/api v0.0.0-20250528100135-a463917701ab/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a h1:duO3JMrUOqVx50QhzxvDeOYIwTNOB8/EEuRLPyvAMBg= github.com/openshift/client-go v0.0.0-20250131180035-f7ec47e2d87a/go.mod h1:Qw3ThpzVZ0bfTILpBNYg4LGyjtNxfyCiGh/uDLOOTP8= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264 h1:KoJiId8Ynajf/ZFodvmayFkDODIL7Vow3LmgR5+oVRg= @@ -398,8 +398,8 @@ github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-202501281 github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20250128131205-c7b3d7b57a8e/go.mod h1:ae3TvkWGFUuKQAnypbtiVMXxBlRfJGbf37z5zVh98uA= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 h1:VLj8CU9q009xlMuR4wNcqDX4lVa2Ji3u/iYnBLHtQUc= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70/go.mod h1:TQx0VEhZ/92qRXIMDu2Wg4bUPmw5HRNE6wpSZ+IsP0Y= -github.com/openshift/machine-api-operator v0.2.1-0.20250331230956-c6b86e48e8fd h1:HufFexLI7SOehjaVrp4qc40QdC+qACSmi2AZPKWF19s= -github.com/openshift/machine-api-operator v0.2.1-0.20250331230956-c6b86e48e8fd/go.mod h1:PhLx4BqZpa0hHrB/lVUYgnlQ5ut/3RElWAA6Cjc0wIA= +github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 h1:qE46shcZY9nOnah14lQOPWduvWYrXIVpCnDoH4IMt0o= +github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5/go.mod h1:1fnQ4CMfwvkLTRafNW3aSC/9w73vbYW6h4ogM0sALgw= github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 75b647f7..38322b95 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -51,6 +51,7 @@ type APIServerSpec struct { // server from JavaScript applications. // The values are regular expressions that correspond to the Golang regular expression language. // +optional + // +listType=atomic AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"` // encryption allows the configuration of encryption of resources at the datastore layer. // +optional @@ -153,6 +154,7 @@ type APIServerServingCerts struct { // If no named certificates are provided, or no named certificates match the server name as understood by a client, // the defaultServingCertificate will be used. // +optional + // +listType=atomic NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` } @@ -162,6 +164,7 @@ type APIServerNamedServingCert struct { // serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. // +optional + // +listType=atomic Names []string `json:"names,omitempty"` // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. // The secret must exist in the openshift-config namespace and contain the following required fields: @@ -170,6 +173,9 @@ type APIServerNamedServingCert struct { ServingCertificate SecretNameReference `json:"servingCertificate"` } +// APIServerEncryption is used to encrypt sensitive resources on the cluster. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. // When this field is unset (i.e. when it is set to the empty string), identity is implied. @@ -188,9 +194,23 @@ type APIServerEncryption struct { // +unionDiscriminator // +optional Type EncryptionType `json:"type,omitempty"` + + // kms defines the configuration for the external KMS instance that manages the encryption keys, + // when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + // externally configured KMS instance. + // + // The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + // managing the lifecyle of the encryption keys outside of the control plane. + // This allows integration with an external provider to manage the data encryption keys securely. + // + // +openshift:enable:FeatureGate=KMSEncryptionProvider + // +unionMember + // +optional + KMS *KMSConfig `json:"kms,omitempty"` } -// +kubebuilder:validation:Enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( @@ -205,6 +225,11 @@ const ( // aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key // is used to perform encryption at the datastore layer. EncryptionTypeAESGCM EncryptionType = "aesgcm" + + // kms refers to a type of encryption where the encryption keys are managed + // outside the control plane in a Key Management Service instance, + // encryption is still performed at the datastore layer. + EncryptionTypeKMS EncryptionType = "KMS" ) type APIServerStatus struct { diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 65dffddb..02c586b3 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -90,6 +90,7 @@ type AuthenticationSpec struct { // +listMapKey=name // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -117,6 +118,7 @@ type AuthenticationStatus struct { // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCClients []OIDCClientStatus `json:"oidcClients"` } @@ -135,7 +137,7 @@ type AuthenticationList struct { } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";None;IntegratedOAuth -// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="";None;IntegratedOAuth;OIDC +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,enum="";None;IntegratedOAuth;OIDC type AuthenticationType string const ( @@ -193,32 +195,50 @@ const ( ) type OIDCProvider struct { - // name of the OIDC provider + // name is a required field that configures the unique human-readable identifier + // associated with the identity provider. + // It is used to distinguish between multiple identity providers + // and has no impact on token validation or authentication mechanics. + // + // name must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` - // issuer describes atributes of the OIDC token issuer + + // issuer is a required field that configures how the platform interacts + // with the identity provider and how tokens issued from the identity provider + // are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients contains configuration for the platform's clients that - // need to request tokens from the issuer + // oidcClients is an optional field that configures how on-cluster, + // platform clients should request tokens from the identity provider. + // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map // +listMapKey=componentNamespace // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 + // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings describes rules on how to transform information from an - // ID token into a cluster identity + // claimMappings is an optional field that configures the rules to be used by + // the Kubernetes API server for translating claims in a JWT token, issued + // by the identity provider, to a cluster identity. + // + // +optional ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules are rules that are applied to validate token claims to authenticate users. + // claimValidationRules is an optional field that configures the rules to + // be used by the Kubernetes API server for validating the claims in a JWT + // token issued by the identity provider. + // + // Validation rules are joined via an AND operation. // // +listType=atomic + // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` } @@ -226,17 +246,22 @@ type OIDCProvider struct { type TokenAudience string type TokenIssuer struct { - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that configures the URL used to issue tokens + // by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled + // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required URL string `json:"issuerURL"` - // audiences is an array of audiences that the token was issued for. - // Valid tokens must include at least one of these values in their - // "aud" claim. - // Must be set to exactly one value. + // audiences is a required field that configures the acceptable audiences + // the JWT token, issued by the identity provider, must be issued to. + // At least one of the entries must match the 'aud' claim in the JWT token. + // + // audiences must contain at least one entry and must not exceed ten entries. // // +listType=set // +kubebuilder:validation:MinItems=1 @@ -244,93 +269,293 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // CertificateAuthority is a reference to a config map in the - // configuration namespace. The .data of the configMap must contain - // the "ca-bundle.crt" key. - // If unset, system trust is used instead. + // issuerCertificateAuthority is an optional field that configures the + // certificate authority, used by the Kubernetes API server, to validate + // the connection to the identity provider when fetching discovery information. + // + // When not specified, the system trust is used. + // + // When specified, it must reference a ConfigMap in the openshift-config + // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + // key in the data field of the ConfigMap. + // + // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` } type TokenClaimMappings struct { - // username is a name of the claim that should be used to construct - // usernames for the cluster identity. + // username is an optional field that configures how the username of a cluster identity + // should be constructed from the claims in a JWT token issued by the identity provider. // - // Default value: "sub" + // +optional Username UsernameClaimMapping `json:"username,omitempty"` - // groups is a name of the claim that should be used to construct - // groups for the cluster identity. - // The referenced claim must use array of strings values. + // groups is an optional field that configures how the groups of a cluster identity + // should be constructed from the claims in a JWT token issued + // by the identity provider. + // When referencing a claim, if the claim is present in the JWT + // token, its value must be a list of groups separated by a comma (','). + // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + // + // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` + + // uid is an optional field for configuring the claim mapping + // used to construct the uid for the cluster identity. + // + // When using uid.claim to specify the claim it must be a single string value. + // When using uid.expression the expression must result in a single string value. + // + // When omitted, this means the user has no opinion and the platform + // is left to choose a default, which is subject to change over time. + // The current default is to use the 'sub' claim. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` + + // extra is an optional field for configuring the mappings + // used to construct the extra attribute for the cluster identity. + // When omitted, no extra attributes will be present on the cluster identity. + // key values for extra mappings must be unique. + // A maximum of 64 extra attribute mappings may be provided. + // + // +optional + // +kubebuilder:validation:MaxItems=64 + // +listType=map + // +listMapKey=key + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + Extra []ExtraMapping `json:"extra,omitempty"` } +// TokenClaimMapping allows specifying a JWT token +// claim to be used when mapping claims from an +// authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a JWT token claim to be used in the mapping + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. // // +required Claim string `json:"claim"` } +// TokenClaimOrExpressionMapping allows specifying either a JWT +// token claim or CEL expression to be used when mapping claims +// from an authentication token to cluster identities. +// +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" +type TokenClaimOrExpressionMapping struct { + // claim is an optional field for specifying the + // JWT token claim that is used in the mapping. + // The value of this claim will be assigned to + // the field in which this mapping is associated. + // + // Precisely one of claim or expression must be set. + // claim must not be specified when expression is set. + // When specified, claim must be at least 1 character in length + // and must not exceed 256 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:MinLength=1 + Claim string `json:"claim,omitempty"` + + // expression is an optional field for specifying a + // CEL expression that produces a string value from + // JWT token claims. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // Precisely one of claim or expression must be set. + // expression must not be specified when claim is set. + // When specified, expression must be at least 1 character in length + // and must not exceed 4096 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=4096 + // +kubebuilder:validation:MinLength=1 + Expression string `json:"expression,omitempty"` +} + +// ExtraMapping allows specifying a key and CEL expression +// to evaluate the keys' value. It is used to create additional +// mappings and attributes added to a cluster identity from +// a provided authentication token. +type ExtraMapping struct { + // key is a required field that specifies the string + // to use as the extra attribute key. + // + // key must be a domain-prefix path (e.g 'example.org/foo'). + // key must not exceed 510 characters in length. + // key must contain the '/' character, separating the domain and path characters. + // key must not be empty. + // + // The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + // It must not exceed 253 characters in length. + // It must start and end with an alphanumeric character. + // It must only contain lower case alphanumeric characters and '-' or '.'. + // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + // + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // It must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=510 + // +kubebuilder:validation:XValidation:rule="self.contains('/')",message="key must contain the '/' character" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].size() <= 253",message="the domain of the key must not exceed 253 characters in length" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'kubernetes.io'",message="the domain 'kubernetes.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.kubernetes.io')",message="the subdomains '*.kubernetes.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'k8s.io'",message="the domain 'k8s.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.k8s.io')",message="the subdomains '*.k8s.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'openshift.io'",message="the domain 'openshift.io' is reserved for OpenShift use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.openshift.io')",message="the subdomains '*.openshift.io' are reserved for OpenShift use" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].matches('[A-Za-z0-9/\\\\-._~%!$&\\'()*+;=:]+')",message="the path of the key must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, apostrophe, '-', '.', '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=', and ':'" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" + Key string `json:"key"` + + // valueExpression is a required field to specify the CEL expression to extract + // the extra attribute value from a JWT token's claims. + // valueExpression must produce a string or string array value. + // "", [], and null are treated as the extra mapping not being present. + // Empty string values within an array are filtered out. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // valueExpression must not exceed 4096 characters in length. + // valueExpression must not be empty. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + ValueExpression string `json:"valueExpression"` +} + +// OIDCClientConfig configures how platform clients +// interact with identity providers as an authentication +// method type OIDCClientConfig struct { - // componentName is the name of the component that is supposed to consume this - // client configuration + // componentName is a required field that specifies the name of the platform + // component being configured to use the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that is supposed to consume this - // client configuration + // componentNamespace is a required field that specifies the namespace in which the + // platform component being configured to use the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that configures the client identifier, from + // the identity provider, that the platform component uses for authentication + // requests made to the identity provider. + // The identity provider must accept this identifier for platform components + // to be able to use the identity provider as an authentication mode. + // + // clientID must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required ClientID string `json:"clientID"` - // clientSecret refers to a secret in the `openshift-config` namespace that - // contains the client secret in the `clientSecret` key of the `.data` field + // clientSecret is an optional field that configures the client secret used + // by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests + // to the identity provider. + // + // When specified, clientSecret references a Secret in the 'openshift-config' + // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + // The client secret will be used when making authentication requests to the identity provider. + // + // Public clients do not require a client secret but private + // clients do require a client secret to work with the identity provider. + // + // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional set of scopes to request tokens with. + // extraScopes is an optional field that configures the extra scopes that should + // be requested by the platform component when making authentication requests to the + // identity provider. + // This is useful if you have configured claim mappings that requires specific + // scopes to be requested beyond the standard OIDC scopes. + // + // When omitted, no additional scopes are requested. // // +listType=set + // +optional ExtraScopes []string `json:"extraScopes"` } +// OIDCClientStatus represents the current state +// of platform components and how they interact with +// the configured identity providers. type OIDCClientStatus struct { - // componentName is the name of the component that will consume a client configuration. + // componentName is a required field that specifies the name of the platform + // component using the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that will consume a client configuration. + // componentNamespace is a required field that specifies the namespace in which the + // platform component using the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // currentOIDCClients is a list of clients that the component is currently using. + // currentOIDCClients is an optional list of clients that the component is currently using. + // Entries must have unique issuerURL/clientID pairs. // // +listType=map // +listMapKey=issuerURL // +listMapKey=clientID + // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is a slice of ServiceAccounts that need to have read - // permission on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring + // read permissions on the `clientSecret` secret. + // + // consumingUsers must not exceed 5 entries. // // +kubebuilder:validation:MaxItems=5 // +listType=set + // +optional ConsumingUsers []ConsumingUser `json:"consumingUsers"` // conditions are used to communicate the state of the `oidcClients` entry. @@ -343,24 +568,36 @@ type OIDCClientStatus struct { // // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } +// OIDCClientReference is a reference to a platform component +// client configuration. type OIDCClientReference struct { - // OIDCName refers to the `name` of the provider from `oidcProviders` + // oidcProviderName is a required reference to the 'name' of the identity provider + // configured in 'oidcProviders' that this client is associated with. + // + // oidcProviderName must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required OIDCProviderName string `json:"oidcProviderName"` - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that specifies the URL of the identity + // provider that this client is configured to make requests against. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required IssuerURL string `json:"issuerURL"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that specifies the client identifier, from + // the identity provider, that the platform component is using for authentication + // requests made to the identity provider. + // + // clientID must not be empty. // // +kubebuilder:validation:MinLength=1 // +required @@ -368,35 +605,52 @@ type OIDCClientReference struct { } // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" +// +union type UsernameClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefixPolicy specifies how a prefix should apply. + // prefixPolicy is an optional field that configures how a prefix should be + // applied to the value of the JWT claim specified in the 'claim' field. + // + // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // By default, claims other than `email` will be prefixed with the issuer URL to - // prevent naming clashes with other plugins. + // When set to 'Prefix', the value specified in the prefix field will be + // prepended to the value of the JWT claim. + // The prefix field must be set when prefixPolicy is 'Prefix'. // - // Set to "NoPrefix" to disable prefixing. + // When set to 'NoPrefix', no prefix will be prepended to the value + // of the JWT claim. // - // Example: - // (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - // If the JWT claim `username` contains value `userA`, the resulting - // mapped value will be "myoidc:userA". - // (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - // JWT `email` claim contains value "userA@myoidc.tld", the resulting - // mapped value will be "myoidc:userA@myoidc.tld". - // (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - // and `claim` is set to: - // (a) "username": the mapped value will be "https://myoidc.tld#userA" - // (b) "email": the mapped value will be "userA@myoidc.tld" + // When omitted, this means no opinion and the platform is left to choose + // any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + // when the claim is not 'email'. + // As an example, consider the following scenario: + // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + // and `claim` is set to: + // - "username": the mapped value will be "https://myoidc.tld#userA" + // - "email": the mapped value will be "userA@myoidc.tld" // // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} + // +optional + // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` + // prefix configures the prefix that should be prepended to the value + // of the JWT claim. + // + // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + // + // +optional + // +unionMember Prefix *UsernamePrefix `json:"prefix"` } +// UsernamePrefixPolicy configures how prefixes should be applied +// to values extracted from the JWT claims during the process of mapping +// JWT claims to cluster identity attributes. +// +enum type UsernamePrefixPolicy string var ( @@ -411,26 +665,42 @@ var ( Prefix UsernamePrefixPolicy = "Prefix" ) +// UsernamePrefix configures the string that should +// be used as a prefix for username claim mappings. type UsernamePrefix struct { + // prefixString is a required field that configures the prefix that will + // be applied to cluster identity username attribute + // during the process of mapping JWT claims to cluster identity attributes. + // + // prefixString must not be an empty string (""). + // // +kubebuilder:validation:MinLength=1 // +required PrefixString string `json:"prefixString"` } +// PrefixedClaimMapping configures a claim mapping +// that allows for an optional prefix. type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is a string to prefix the value from the token in the result of the - // claim mapping. + // prefix is an optional field that configures the prefix that will be + // applied to the cluster identity attribute during the process of mapping + // JWT claims to cluster identity attributes. // - // By default, no prefixing occurs. + // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains // an array of strings "a", "b" and "c", the mapping will result in an // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // + // +optional Prefix string `json:"prefix"` } +// TokenValidationRuleType represents the different +// claim validation rule types that can be configured. +// +enum type TokenValidationRuleType string const ( @@ -438,26 +708,45 @@ const ( ) type TokenClaimValidationRule struct { - // type sets the type of the validation rule + // type is an optional field that configures the type of the validation rule. + // + // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + // + // When set to 'RequiredClaim', the Kubernetes API server + // will be configured to validate that the incoming JWT + // contains the required claim and that its value matches + // the required value. + // + // Defaults to 'RequiredClaim'. // // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` - // requiredClaim allows configuring a required claim name and its expected - // value + // requiredClaim is an optional field that configures the required claim + // and value that the Kubernetes API server will use to validate if an incoming + // JWT is valid for this identity provider. + // + // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` } type TokenRequiredClaim struct { - // claim is a name of a required claim. Only claims with string values are - // supported. + // claim is a required field that configures the name of the required claim. + // When taken from the JWT claims, claim must be a string value. + // + // claim must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Claim string `json:"claim"` - // requiredValue is the required value for the claim. + // requiredValue is a required field that configures the value that 'claim' must + // have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token + // will be rejected for authentication. + // + // requiredValue must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 70f16498..092bebff 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -796,11 +796,10 @@ type ConditionalUpdate struct { // conditions represents the observations of the conditional update's // current status. Known types are: // * Recommended, for whether the update is recommended for the current cluster. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ConditionalUpdateRisk represents a reason and cluster-state diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 81bc14f2..0709a75a 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -99,6 +99,7 @@ type FeatureGateStatus struct { // Known .status.conditions.type are: "DeterminationDegraded" // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion. diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index f10ccb85..ffb0f3f6 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -99,7 +99,9 @@ type InfrastructureStatus struct { // its components are not visible within the cluster. // +kubebuilder:default=HighlyAvailable // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=HighlyAvailable;SingleReplica;External - // +openshift:validation:FeatureGateAwareEnum:featureGate=HighlyAvailableArbiter;DualReplica,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;DualReplica;External + // +openshift:validation:FeatureGateAwareEnum:featureGate=HighlyAvailableArbiter,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;External + // +openshift:validation:FeatureGateAwareEnum:featureGate=DualReplica,enum=HighlyAvailable;SingleReplica;DualReplica;External + // +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=HighlyAvailableArbiter;DualReplica,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;DualReplica;External ControlPlaneTopology TopologyMode `json:"controlPlaneTopology"` // infrastructureTopology expresses the expectations for infrastructure services that do not run on control @@ -628,7 +630,7 @@ const ( ) // GCPServiceEndpointName is the name of the GCP Service Endpoint. -// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage;TagManager +// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage type GCPServiceEndpointName string const ( @@ -655,9 +657,6 @@ const ( // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" - - // GCPServiceEndpointNameTagManager is the name used for the GCP Tag Manager Service endpoint. - GCPServiceEndpointNameTagManager GCPServiceEndpointName = "TagManager" ) // GCPServiceEndpoint store the configuration of a custom url to @@ -753,7 +752,7 @@ type GCPPlatformStatus struct { // The maximum number of endpoint overrides allowed is 9. // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=9 + // +kubebuilder:validation:MaxItems=8 // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" // +optional // +openshift:enable:FeatureGate=GCPCustomAPIEndpoints @@ -1006,7 +1005,6 @@ type BareMetalPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1220,7 +1218,6 @@ type OvirtPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *OvirtPlatformLoadBalancer `json:"loadBalancer,omitempty"` } @@ -1390,7 +1387,6 @@ type VSpherePlatformTopology struct { // VSpherePlatformFailureDomainSpec. // For example, for zone=zonea, region=region1, and infrastructure name=test, // the template path would be calculated as //vm/test-rhcos-region1-zonea. - // +openshift:enable:FeatureGate=VSphereControlPlaneMachineSet // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=2048 // +kubebuilder:validation:Pattern=`^/.*?/vm/.*?` @@ -1558,8 +1554,7 @@ type VSpherePlatformSpec struct { // + If VCenters is not defined use the existing cloud-config configmap defined // + in openshift-config. // +kubebuilder:validation:MinItems=0 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate=VSphereMultiVCenters,maxItems=3 + // +kubebuilder:validation:MaxItems=3 // +kubebuilder:validation:XValidation:rule="size(self) != size(oldSelf) ? size(oldSelf) == 0 && size(self) < 2 : true",message="vcenters cannot be added or removed once set" // +listType=atomic // +optional @@ -1671,7 +1666,6 @@ type VSpherePlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -2089,7 +2083,6 @@ type NutanixPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *NutanixPlatformLoadBalancer `json:"loadBalancer,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go new file mode 100644 index 00000000..3293204f --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go @@ -0,0 +1,55 @@ +package v1 + +// KMSConfig defines the configuration for the KMS instance +// that will be used with KMSEncryptionProvider encryption +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" +// +union +type KMSConfig struct { + // type defines the kind of platform for the KMS provider. + // Available provider types are AWS only. + // + // +unionDiscriminator + // +required + Type KMSProviderType `json:"type"` + + // aws defines the key config for using an AWS KMS instance + // for the encryption. The AWS KMS instance is managed + // by the user outside the purview of the control plane. + // + // +unionMember + // +optional + AWS *AWSKMSConfig `json:"aws,omitempty"` +} + +// AWSKMSConfig defines the KMS config specific to AWS KMS provider +type AWSKMSConfig struct { + // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + // The value must adhere to the format `arn:aws:kms:::key/`, where: + // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + // - `` is a 12-digit numeric identifier for the AWS account. + // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + // + // +kubebuilder:validation:MaxLength=128 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." + // +required + KeyARN string `json:"keyARN"` + // region specifies the AWS region where the KMS instance exists, and follows the format + // `--`, e.g.: `us-east-1`. + // Only lowercase letters and hyphens followed by numbers are allowed. + // + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + // +required + Region string `json:"region"` +} + +// KMSProviderType is a specific supported KMS provider +// +kubebuilder:validation:Enum=AWS +type KMSProviderType string + +const ( + // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + AWSKMSProvider KMSProviderType = "AWS" +) diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go index 95e55a7f..41dc2eb9 100644 --- a/vendor/github.com/openshift/api/config/v1/types_network.go +++ b/vendor/github.com/openshift/api/config/v1/types_network.go @@ -112,12 +112,10 @@ type NetworkStatus struct { // conditions represents the observations of a network.config current state. // Known .status.conditions.type are: "NetworkDiagnosticsAvailable" // +optional - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +openshift:enable:FeatureGate=NetworkDiagnosticsConfig - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go index 3fc7bc0c..1282f331 100644 --- a/vendor/github.com/openshift/api/config/v1/types_node.go +++ b/vendor/github.com/openshift/api/config/v1/types_node.go @@ -68,22 +68,20 @@ type NodeSpec struct { type NodeStatus struct { // conditions contain the details and the current state of the nodes.config object - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } -// +kubebuilder:validation:Enum=v1;v2;"" +// +kubebuilder:validation:Enum=v2;"" type CgroupMode string const ( CgroupModeEmpty CgroupMode = "" // Empty string indicates to honor user set value on the system that should not be overridden by OpenShift CgroupModeV1 CgroupMode = "v1" CgroupModeV2 CgroupMode = "v2" - CgroupModeDefault CgroupMode = CgroupModeV1 + CgroupModeDefault CgroupMode = CgroupModeV2 ) // +kubebuilder:validation:Enum=Default;MediumUpdateAverageReaction;LowUpdateSlowReaction diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000..cac1477e --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,505 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + - region + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml similarity index 98% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 8dd63a32..c5206c23 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default name: apiservers.config.openshift.io spec: group: config.openshift.io @@ -56,6 +57,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic audit: default: profile: Default @@ -200,6 +202,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic servingCertificate: description: |- servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. @@ -216,6 +219,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object tlsSecurityProfile: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000..894faf84 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,505 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + - region + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000..54fdb0b0 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,505 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + - region + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000..f6c3e460 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -0,0 +1,850 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + properties: + requiredClaim: + description: |- + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. + enum: + - RequiredClaim + type: string + type: object + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml similarity index 61% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index 93b2b006..6a6b7ff1 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default name: authentications.config.openshift.io spec: group: config.openshift.io @@ -78,27 +79,34 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -107,18 +115,29 @@ spec: type: object username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -126,25 +145,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -161,24 +183,36 @@ spec: > 0) : !has(self.prefix)' type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -187,7 +221,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -195,14 +239,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -212,10 +260,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -226,8 +279,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -235,24 +292,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -263,21 +347,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -417,16 +514,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -500,8 +610,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -513,24 +625,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000..76ad704a --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,850 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + properties: + requiredClaim: + description: |- + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. + enum: + - RequiredClaim + type: string + type: object + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000..21ab3c98 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,850 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + properties: + requiredClaim: + description: |- + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. + enum: + - RequiredClaim + type: string + type: object + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 07c2f49d..19c2ccf7 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -79,47 +79,216 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. - Default value: "sub" + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +296,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -162,24 +334,36 @@ spec: > 0) : !has(self.prefix)' type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +372,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +390,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +411,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +430,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +443,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +498,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -418,16 +665,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +761,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +776,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 718aeff5..43964011 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -79,47 +79,216 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. - Default value: "sub" + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +296,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -162,24 +334,36 @@ spec: > 0) : !has(self.prefix)' type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +372,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +390,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +411,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +430,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +443,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +498,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -418,16 +665,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +761,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +776,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 87529096..51e10e8f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -79,47 +79,216 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is an optional field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. - Default value: "sub" + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is an optional field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +296,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -162,24 +334,36 @@ spec: > 0) : !has(self.prefix)' type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +372,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +390,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +411,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +430,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +443,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +498,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -418,16 +665,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +761,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +776,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index d984f8f9..02ae2dcb 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -1917,7 +1917,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1943,7 +1942,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 5f569b44..6dcc0cfb 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -718,7 +718,7 @@ spec: //network/. items: type: string - maxItems: 1 + maxItems: 10 minItems: 1 type: array x-kubernetes-list-type: atomic diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 7c16c2b6..f0e96f9f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -1917,7 +1917,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1943,7 +1942,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index a4d31c22..0391eb18 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -1130,7 +1130,6 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica - - DualReplica - External type: string cpuPartitioning: @@ -1917,7 +1916,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1943,7 +1941,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 776be2ee..1274ac4d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml index a4d69857..bc50d370 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 00413af2..0cd65142 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 8504be1e..13d3adce 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 40b0c857..38aa2f6f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 @@ -42,6 +42,11 @@ func (in *APIServer) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { *out = *in + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfig) + (*in).DeepCopyInto(*out) + } return } @@ -143,7 +148,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - out.Encryption = in.Encryption + in.Encryption.DeepCopyInto(&out.Encryption) if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile *out = new(TLSSecurityProfile) @@ -211,6 +216,22 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. +func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { + if in == nil { + return nil + } + out := new(AWSKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -2000,6 +2021,22 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping. +func (in *ExtraMapping) DeepCopy() *ExtraMapping { + if in == nil { + return nil + } + out := new(ExtraMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FeatureGate) DeepCopyInto(out *FeatureGate) { *out = *in @@ -3305,6 +3342,27 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { + *out = *in + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AWSKMSConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig. +func (in *KMSConfig) DeepCopy() *KMSConfig { + if in == nil { + return nil + } + out := new(KMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in @@ -5685,6 +5743,16 @@ func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings) { *out = *in in.Username.DeepCopyInto(&out.Username) out.Groups = in.Groups + if in.UID != nil { + in, out := &in.UID, &out.UID + *out = new(TokenClaimOrExpressionMapping) + **out = **in + } + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make([]ExtraMapping, len(*in)) + copy(*out, *in) + } return } @@ -5698,6 +5766,22 @@ func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenClaimOrExpressionMapping) DeepCopyInto(out *TokenClaimOrExpressionMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimOrExpressionMapping. +func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMapping { + if in == nil { + return nil + } + out := new(TokenClaimOrExpressionMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index f8182fff..a681631c 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ apiservers.config.openshift.io: CRDName: apiservers.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -29,6 +30,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCWithUIDAndExtraClaimMappings FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -312,18 +314,16 @@ infrastructures.config.openshift.io: Category: "" FeatureGates: - AWSClusterHostedDNS - - BareMetalLoadBalancer - DualReplica - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNS - GCPCustomAPIEndpoints - GCPLabelsTags - HighlyAvailableArbiter + - HighlyAvailableArbiter+DualReplica - NutanixMultiSubnets - - VSphereControlPlaneMachineSet - VSphereHostVMGroupZonal - VSphereMultiNetworks - - VSphereMultiVCenters FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 819b713a..002ea77f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -277,7 +277,9 @@ func (APIServer) SwaggerDoc() map[string]string { } var map_APIServerEncryption = map[string]string{ + "": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", + "kms": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", } func (APIServerEncryption) SwaggerDoc() map[string]string { @@ -394,12 +396,23 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExtraMapping = map[string]string{ + "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", + "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", + "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", +} + +func (ExtraMapping) SwaggerDoc() map[string]string { + return map_ExtraMapping +} + var map_OIDCClientConfig = map[string]string{ - "componentName": "componentName is the name of the component that is supposed to consume this client configuration", - "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", - "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", - "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -407,9 +420,10 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "": "OIDCClientReference is a reference to a platform component client configuration.", + "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -417,10 +431,11 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "componentName": "componentName is the name of the component that will consume a client configuration.", - "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", - "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", - "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -429,11 +444,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name of the OIDC provider", - "issuer": "issuer describes atributes of the OIDC token issuer", - "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", - "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", - "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is an optional field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -441,7 +456,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -449,7 +465,8 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "claim": "claim is a JWT token claim to be used in the mapping", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -457,17 +474,29 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", - "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "username": "username is an optional field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { return map_TokenClaimMappings } +var map_TokenClaimOrExpressionMapping = map[string]string{ + "": "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.", + "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", +} + +func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { + return map_TokenClaimOrExpressionMapping +} + var map_TokenClaimValidationRule = map[string]string{ - "type": "type sets the type of the validation rule", - "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -475,9 +504,9 @@ func (TokenClaimValidationRule) SwaggerDoc() map[string]string { } var map_TokenIssuer = map[string]string{ - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", - "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nissuerURL must use the 'https' scheme.", + "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -485,8 +514,8 @@ func (TokenIssuer) SwaggerDoc() map[string]string { } var map_TokenRequiredClaim = map[string]string{ - "claim": "claim is a name of a required claim. Only claims with string values are supported.", - "requiredValue": "requiredValue is the required value for the claim.", + "claim": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { @@ -494,13 +523,23 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } func (UsernameClaimMapping) SwaggerDoc() map[string]string { return map_UsernameClaimMapping } +var map_UsernamePrefix = map[string]string{ + "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +} + +func (UsernamePrefix) SwaggerDoc() map[string]string { + return map_UsernamePrefix +} + var map_WebhookTokenAuthenticator = map[string]string{ "": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.", @@ -1974,6 +2013,26 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } +var map_AWSKMSConfig = map[string]string{ + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", +} + +func (AWSKMSConfig) SwaggerDoc() map[string]string { + return map_AWSKMSConfig +} + +var map_KMSConfig = map[string]string{ + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", +} + +func (KMSConfig) SwaggerDoc() map[string]string { + return map_KMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index 5eaeeea7..107b9e29 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -59,6 +59,7 @@ type ClusterImagePolicyStatus struct { // conditions provide details on the status of this API Resource. // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 24ff257c..5ffeac40 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -78,7 +78,7 @@ type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - // "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go index 3ae4de15..46666ae3 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go @@ -32,33 +32,97 @@ type InsightsDataGather struct { } type InsightsDataGatherSpec struct { - // gatherConfig spec attribute includes all the configuration options related to - // gathering of the Insights data and its uploading to the ingress. + // gatherConfig spec attribute includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. // +optional GatherConfig GatherConfig `json:"gatherConfig,omitempty"` } -type InsightsDataGatherStatus struct { -} +type InsightsDataGatherStatus struct{} // gatherConfig provides data gathering configuration options. type GatherConfig struct { - // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain - // in the Insights archive data. Valid values are "None" and "ObfuscateNetworking". + // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. + // Valid values are "None" and "ObfuscateNetworking". // When set to None the data is not obfuscated. // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The current default is None. // +optional DataPolicy DataPolicy `json:"dataPolicy,omitempty"` // disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing "all" value. // If all the gatherers are disabled, the Insights operator does not gather any data. + // The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. + // Gatherer consists of a lowercase letters only that may include underscores (_). + // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. // Run the following command to get the names of last active gatherers: // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" // An example of disabling gatherers looks like this: `disabledGatherers: ["clusterconfig/machine_configs", "workloads/workload_info"]` + // +kubebuilder:validation:MaxItems=100 + // +optional + DisabledGatherers []DisabledGatherer `json:"disabledGatherers"` + // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + // If omitted, the gathering job will use ephemeral storage. + // +optional + StorageSpec *Storage `json:"storage,omitempty"` +} + +// disabledGatherer is a string that represents a gatherer that should be disabled +// +kubebuilder:validation:MaxLength=256 +// +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`disabledGatherer must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` +type DisabledGatherer string + +// storage provides persistent storage configuration options for gathering jobs. +// If the type is set to PersistentVolume, then the PersistentVolume must be defined. +// If the type is set to Ephemeral, then the PersistentVolume must not be defined. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" +type Storage struct { + // type is a required field that specifies the type of storage that will be used to store the Insights data archive. + // Valid values are "PersistentVolume" and "Ephemeral". + // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + // +required + Type StorageType `json:"type"` + // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + // The PersistentVolume must be created in the openshift-insights namespace. // +optional - DisabledGatherers []string `json:"disabledGatherers"` + PersistentVolume *PersistentVolumeConfig `json:"persistentVolume,omitempty"` +} + +// storageType declares valid storage types +// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral +type StorageType string + +const ( + // StorageTypePersistentVolume storage type + StorageTypePersistentVolume StorageType = "PersistentVolume" + // StorageTypeEphemeral storage type + StorageTypeEphemeral StorageType = "Ephemeral" +) + +// persistentVolumeConfig provides configuration options for PersistentVolume storage. +type PersistentVolumeConfig struct { + // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + // The PersistentVolumeClaim must be created in the openshift-insights namespace. + // +required + Claim PersistentVolumeClaimReference `json:"claim"` + // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default mount path is /var/lib/insights-operator + // The path may not exceed 1024 characters and must not contain a colon. + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" + // +optional + MountPath string `json:"mountPath,omitempty"` +} + +// persistentVolumeClaimReference is a reference to a PersistentVolumeClaim. +type PersistentVolumeClaimReference struct { + // name is a string that follows the DNS1123 subdomain format. + // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +kubebuilder:validation:MaxLength:=253 + // +required + Name string `json:"name"` } const ( diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 42ae6900..b605ffcf 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 @@ -353,9 +353,14 @@ func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in if in.DisabledGatherers != nil { in, out := &in.DisabledGatherers, &out.DisabledGatherers - *out = make([]string, len(*in)) + *out = make([]DisabledGatherer, len(*in)) copy(*out, *in) } + if in.StorageSpec != nil { + in, out := &in.StorageSpec, &out.StorageSpec + *out = new(Storage) + (*in).DeepCopyInto(*out) + } return } @@ -612,6 +617,39 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. +func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { + if in == nil { + return nil + } + out := new(PersistentVolumeClaimReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { + *out = *in + out.Claim = in.Claim + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. +func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { + if in == nil { + return nil + } + out := new(PersistentVolumeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Policy) DeepCopyInto(out *Policy) { *out = *in @@ -819,6 +857,27 @@ func (in *RetentionSizeConfig) DeepCopy() *RetentionSizeConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Storage) DeepCopyInto(out *Storage) { + *out = *in + if in.PersistentVolume != nil { + in, out := &in.PersistentVolume, &out.PersistentVolume + *out = new(PersistentVolumeConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. +func (in *Storage) DeepCopy() *Storage { + if in == nil { + return nil + } + out := new(Storage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserDefinedMonitoring) DeepCopyInto(out *UserDefinedMonitoring) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 65da579c..3b145db6 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -285,7 +285,7 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "publicKey": "publicKey defines the root of trust based on a sigstore public key.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", @@ -307,8 +307,9 @@ func (PublicKey) SwaggerDoc() map[string]string { var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", - "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is None.", - "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", } func (GatherConfig) SwaggerDoc() map[string]string { @@ -343,4 +344,33 @@ func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { return map_InsightsDataGatherSpec } +var map_PersistentVolumeClaimReference = map[string]string{ + "": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + "name": "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", +} + +func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { + return map_PersistentVolumeClaimReference +} + +var map_PersistentVolumeConfig = map[string]string{ + "": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", + "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", +} + +func (PersistentVolumeConfig) SwaggerDoc() map[string]string { + return map_PersistentVolumeConfig +} + +var map_Storage = map[string]string{ + "": "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", + "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", +} + +func (Storage) SwaggerDoc() map[string]string { + return map_Storage +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index cac6693d..d786805b 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -40,16 +40,16 @@ var ( reportProblemsToJiraComponent("Management Console"). contactPerson("jhadvig"). productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enhancementPR("https://github.com/openshift/enhancements/pull/1706"). mustRegister() FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). - contactPerson("stlaz"). + contactPerson("ibihim"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateValidatingAdmissionPolicy = newFeatureGate("ValidatingAdmissionPolicy"). @@ -65,7 +65,7 @@ var ( contactPerson("miciah"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateSetEIPForNLBIngressController = newFeatureGate("SetEIPForNLBIngressController"). @@ -100,14 +100,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMachineAPIProviderOpenStack = newFeatureGate("MachineAPIProviderOpenStack"). - reportProblemsToJiraComponent("openstack"). - contactPerson("egarcia"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfigAPI = newFeatureGate("InsightsConfigAPI"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -140,6 +132,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). + reportProblemsToJiraComponent("installer"). + contactPerson("rvanderp3"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1783"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMaxUnavailableStatefulSet = newFeatureGate("MaxUnavailableStatefulSet"). reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). @@ -176,7 +176,7 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateGCPLabelsTags = newFeatureGate("GCPLabelsTags"). @@ -195,14 +195,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateCloudDualStackNodeIPs = newFeatureGate("CloudDualStackNodeIPs"). - reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). - contactPerson("mkowalsk"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). reportProblemsToJiraComponent("splat"). contactPerson("jcpowermac"). @@ -219,28 +211,12 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereMultiVCenters = newFeatureGate("VSphereMultiVCenters"). - reportProblemsToJiraComponent("splat"). - contactPerson("vr4manta"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateVSphereStaticIPs = newFeatureGate("VSphereStaticIPs"). - reportProblemsToJiraComponent("splat"). - contactPerson("rvanderp3"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). reportProblemsToJiraComponent("router"). - contactPerson("thejasn"). + contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix"). @@ -248,7 +224,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1714"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy"). @@ -346,14 +322,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereControlPlaneMachineset = newFeatureGate("VSphereControlPlaneMachineSet"). - reportProblemsToJiraComponent("splat"). - contactPerson("rvanderp3"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes"). reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("cdoern"). @@ -409,20 +377,20 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). - reportProblemsToJiraComponent("cloud-provider"). - contactPerson("jspeed"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("rsaini"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1496"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateOnClusterBuild = newFeatureGate("OnClusterBuild"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("dkhater"). + contactPerson("cheesesashimi"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBootcNodeManagement = newFeatureGate("BootcNodeManagement"). @@ -498,6 +466,15 @@ var ( enableForClusterProfile(Hypershift, configv1.Default, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). + reportProblemsToJiraComponent("authentication"). + contactPerson("bpalmer"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1777"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). @@ -538,6 +515,30 @@ var ( enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateNewOLMPreflightPermissionChecks = newFeatureGate("NewOLMPreflightPermissionChecks"). + reportProblemsToJiraComponent("olm"). + contactPerson("tshort"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1768"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMOwnSingleNamespace = newFeatureGate("NewOLMOwnSingleNamespace"). + reportProblemsToJiraComponent("olm"). + contactPerson("nschieder"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1774"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). + reportProblemsToJiraComponent("olm"). + contactPerson("pegoncal"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1799"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -546,14 +547,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateBareMetalLoadBalancer = newFeatureGate("BareMetalLoadBalancer"). - reportProblemsToJiraComponent("metal"). - contactPerson("EmilienM"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfig = newFeatureGate("InsightsConfig"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -575,14 +568,6 @@ var ( contactPerson("rexagod"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateVSphereDriverConfiguration = newFeatureGate("VSphereDriverConfiguration"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("rbednar"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -591,6 +576,7 @@ var ( contactPerson("cjschaef"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). @@ -606,6 +592,7 @@ var ( contactPerson("jspeed"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). @@ -624,14 +611,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMultiArchInstallAWS = newFeatureGate("MultiArchInstallAWS"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). @@ -639,14 +618,6 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). @@ -676,15 +647,18 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() + // Note: this feature is perma-alpha, but it is safe and desireable to enable. + // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33. + // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards"). reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -692,7 +666,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -700,7 +674,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -770,14 +744,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateSELinuxChangePolicy = newFeatureGate("SELinuxChangePolicy"). - reportProblemsToJiraComponent("Storage / Kubernetes"). - contactPerson("jsafrane"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/1710"). - enableIn(configv1.DevPreviewNoUpgrade). - mustRegister() - FeatureGateSELinuxMount = newFeatureGate("SELinuxMount"). reportProblemsToJiraComponent("Storage / Kubernetes"). contactPerson("jsafrane"). @@ -794,6 +760,58 @@ var ( // TODO: Do not go GA until jira issue is resolved: https://issues.redhat.com/browse/OCPEDGE-1637 // Annotations must correctly handle either DualReplica or HighlyAvailableArbiter going GA with // the other still in TechPreview. - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGateGatewayAPIController = newFeatureGate("GatewayAPIController"). + reportProblemsToJiraComponent("Routing"). + contactPerson("miciah"). + productScope(ocpSpecific). + // Previously, the "GatewayAPI" feature gate managed both the GatewayAPI CRDs + // and the Gateway Controller. However, with the introduction of Gateway CRD + // lifecycle management (EP#1756), these responsibilities were separated. + // A dedicated feature gate now controls the Gateway Controller to distinguish + // its production readiness from that of the CRDs. + enhancementPR("https://github.com/openshift/enhancements/pull/1756"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("vrutkovs"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1670"). + mustRegister() + + FeatureGateVSphereConfigurableMaxAllowedBlockVolumesPerNode = newFeatureGate("VSphereConfigurableMaxAllowedBlockVolumesPerNode"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("rbednar"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1748"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAzureMultiDisk = newFeatureGate("AzureMultiDisk"). + reportProblemsToJiraComponent("splat"). + contactPerson("jcpowermac"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1779"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAWSDedicatedHosts = newFeatureGate("AWSDedicatedHosts"). + reportProblemsToJiraComponent("Installer"). + contactPerson("faermanj"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1781"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateVSphereMixedNodeEnv = newFeatureGate("VSphereMixedNodeEnv"). + reportProblemsToJiraComponent("splat"). + contactPerson("vr4manta"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1772"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 132a3dac..2a74f8e8 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -17,8 +17,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "AzureWorkloadIdentity", // never add to this list, if you think you have an exception ask @deads2k - "BareMetalLoadBalancer", - // never add to this list, if you think you have an exception ask @deads2k "BootcNodeManagement", // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", diff --git a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go index d1396fbf..12a81967 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go @@ -224,6 +224,8 @@ type AlibabaCloudMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go index cc9c04ca..ead8b207 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go +++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go @@ -428,12 +428,10 @@ type RootVolume struct { type ControlPlaneMachineSetStatus struct { // conditions represents the observations of the ControlPlaneMachineSet's current state. // Known .status.conditions.type are: Available, Degraded and Progressing. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // observedGeneration is the most recent generation observed for this // ControlPlaneMachineSet. It corresponds to the ControlPlaneMachineSets's generation, diff --git a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go index cc1a355b..e2ddde2a 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go @@ -331,6 +331,8 @@ type NutanixMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` // vmUUID is the Machine associated VM's UUID diff --git a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go index b676a8d5..d3a4c6ec 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go @@ -170,12 +170,10 @@ type PowerVSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // instanceId is the instance ID of the machine created in PowerVS // instanceId uniquely identifies a Power VS server instance(VM) under a Power VS service. diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go index f3051438..61294ef5 100644 --- a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index 4291b9e8..db15df2c 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -140,8 +140,10 @@ type BlockDeviceMappingSpec struct { // https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice type EBSBlockDeviceSpec struct { // Indicates whether the EBS volume is deleted on machine termination. + // + // Deprecated: setting this field has no effect. // +optional - DeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` + DeprecatedDeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes // may only be attached to machines that support Amazon EBS encryption. // +optional @@ -330,6 +332,8 @@ type AWSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go index db84fa2c..760360bd 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go @@ -234,6 +234,8 @@ type AzureMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status. // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go index e554f466..72a31b5b 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go @@ -313,6 +313,8 @@ type GCPMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go index 43934c85..fe6626f7 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go @@ -265,6 +265,9 @@ type VSphereMachineProviderStatus struct { InstanceState *string `json:"instanceState,omitempty"` // conditions is a set of conditions associated with the Machine to indicate // errors or other status + // +listType=map + // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // taskRef is a managed object reference to a Task related to the machine. // This value is set automatically at runtime and should not be set or diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml index 448bfea4..349398de 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml @@ -81,6 +81,20 @@ spec: spec: description: MachineSpec defines the desired state of Machine properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -364,6 +378,23 @@ spec: type: object type: array x-kubernetes-list-type: atomic + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' conditions: description: conditions defines the current state of the Machine items: @@ -537,7 +568,23 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml index c08ecebc..c402e33a 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml @@ -81,6 +81,20 @@ spec: spec: description: MachineSpec defines the desired state of Machine properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -364,6 +378,23 @@ spec: type: object type: array x-kubernetes-list-type: atomic + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' conditions: description: conditions defines the current state of the Machine items: @@ -537,7 +568,23 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml index 6da86259..82abfc04 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml @@ -66,6 +66,20 @@ spec: spec: description: MachineSetSpec defines the desired state of MachineSet properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string deletePolicy: description: |- deletePolicy defines the policy used to identify nodes to delete when downscaling. @@ -267,6 +281,20 @@ spec: Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -535,6 +563,23 @@ spec: status: description: MachineSetStatus defines the observed state of MachineSet properties: + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' availableReplicas: description: The number of available replicas (ready for at least minReadySeconds) for this MachineSet. @@ -630,7 +675,23 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml index 51bbf02e..c7d51256 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml @@ -66,6 +66,20 @@ spec: spec: description: MachineSetSpec defines the desired state of MachineSet properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string deletePolicy: description: |- deletePolicy defines the policy used to identify nodes to delete when downscaling. @@ -267,6 +281,20 @@ spec: Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + authoritativeAPI: + default: MachineAPI + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI and ClusterAPI. + When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. + When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. + Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. + Currently the authoritative API determines which controller will manage the resource, this will change in a future release. + To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`. + enum: + - MachineAPI + - ClusterAPI + type: string lifecycleHooks: description: |- lifecycleHooks allow users to pause operations on the machine at @@ -535,6 +563,23 @@ spec: status: description: MachineSetStatus defines the observed state of MachineSet properties: + authoritativeAPI: + description: |- + authoritativeAPI is the API that is authoritative for this resource. + Valid values are MachineAPI, ClusterAPI and Migrating. + This value is updated by the migration controller to reflect the authoritative API. + Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. + When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other. + enum: + - MachineAPI + - ClusterAPI + - Migrating + type: string + x-kubernetes-validations: + - message: The authoritativeAPI field must not transition directly + from MachineAPI to ClusterAPI or vice versa. It must transition + through Migrating. + rule: self == 'Migrating' || self == oldSelf || oldSelf == 'Migrating' availableReplicas: description: The number of available replicas (ready for at least minReadySeconds) for this MachineSet. @@ -630,7 +675,23 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedGeneration: + description: |- + synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. + This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. + format: int64 + minimum: 0 + type: integer type: object + x-kubernetes-validations: + - fieldPath: .synchronizedGeneration + message: synchronizedGeneration must not decrease unless authoritativeAPI + is transitioning from Migrating to another value + reason: FieldValueInvalid + rule: '!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) + && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) + || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI + != ''Migrating'')' type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index ba9aae81..7763435a 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1beta1 @@ -518,8 +518,8 @@ func (in *DiskSettings) DeepCopy() *DiskSettings { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = *in - if in.DeleteOnTermination != nil { - in, out := &in.DeleteOnTermination, &out.DeleteOnTermination + if in.DeprecatedDeleteOnTermination != nil { + in, out := &in.DeprecatedDeleteOnTermination, &out.DeprecatedDeleteOnTermination *out = new(bool) **out = **in } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index b2e55376..2667a0aa 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -84,7 +84,7 @@ func (BlockDeviceMappingSpec) SwaggerDoc() map[string]string { var map_EBSBlockDeviceSpec = map[string]string{ "": "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", - "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.", + "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", "encrypted": "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", "kmsKey": "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", "iops": "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go index 0bb0b3d0..38e4b497 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/controller.go @@ -177,43 +177,60 @@ func (r *ReconcileMachine) Reconcile(ctx context.Context, request reconcile.Requ originalConditions := conditions.DeepCopyConditions(m.Status.Conditions) if r.gate.Enabled(featuregate.Feature(openshiftfeatures.FeatureGateMachineAPIMigration)) { - // Check Status.AuthoritativeAPI - // If not MachineAPI. Set the paused condition true and return early. - // - // Once we have a webhook, we want to remove the check that the AuthoritativeAPI - // field is populated. - if m.Status.AuthoritativeAPI != "" && - m.Status.AuthoritativeAPI != machinev1.MachineAuthorityMachineAPI { - conditions.Set(m, conditions.TrueConditionWithReason( - PausedCondition, - PausedConditionReason, - "The AuthoritativeAPI is set to %s", string(m.Status.AuthoritativeAPI), - )) - if patchErr := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, originalConditions); patchErr != nil { - klog.Errorf("%v: error patching status: %v", machineName, patchErr) + switch m.Status.AuthoritativeAPI { + case "": + // An empty .status.authoritativeAPI normally means the resource has not yet been reconciled. + // and that the value in .spec.authoritativeAPI has not been propagated to .status.authoritativeAPI yet. + // This value can be set by two separate controllers, depending which one of them is running at that time, + // or in case they are both running, which one gets to set it first (the operation is idempotent so there is no harm in racing). + // - the cluster-capi-operator machine-api-migration's migration controller + // - this controller + + klog.Infof("%v: machine .status.authoritativeAPI is not yet set, setting it to .spec.authoritativeAPI", m.Name) + + if err := r.patchStatusAuthoritativeAPI(ctx, m, m.Spec.AuthoritativeAPI); err != nil { + klog.Errorf("%v: error patching status to set .status.authoritativeAPI for machine: %v", m.Name, err) + return reconcile.Result{}, fmt.Errorf("error patching status to set .status.authoritativeAPI for machine %s: %w", m.Name, err) + } + + // Return to give a chance to the changes to get propagated. + return reconcile.Result{}, nil + + case machinev1.MachineAuthorityClusterAPI, machinev1.MachineAuthorityMigrating: + // In cases when .status.authoritativeAPI is set to machinev1.MachineAuthorityClusterAPI, machinev1.MachineAuthorityMigrating + // the resource should be paused and not reconciled further. + desiredCondition := conditions.TrueConditionWithReason( + PausedCondition, PausedConditionReason, + "The AuthoritativeAPI status is set to '%s'", string(m.Status.AuthoritativeAPI), + ) + + if _, err := r.ensureUpdatedPausedCondition(ctx, m, desiredCondition, + fmt.Sprintf("%v: machine .status.authoritativeAPI is set to '%s', ensuring machine is paused", machineName, m.Status.AuthoritativeAPI)); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to ensure paused condition: %w", err) } klog.Infof("%v: machine is paused, taking no further action", machineName) + return reconcile.Result{}, nil - } - var pausedFalseReason string - if m.Status.AuthoritativeAPI != "" { - pausedFalseReason = fmt.Sprintf("The AuthoritativeAPI is set to %s", string(m.Status.AuthoritativeAPI)) - } else { - pausedFalseReason = "The AuthoritativeAPI is not set" - } + case machinev1.MachineAuthorityMachineAPI: + // The authority is MachineAPI and the resource should not be paused. + desiredCondition := conditions.FalseCondition( + PausedCondition, NotPausedConditionReason, machinev1.ConditionSeverityInfo, "%s", + fmt.Sprintf("The AuthoritativeAPI status is set to '%s'", string(m.Status.AuthoritativeAPI)), + ) + + if updated, err := r.ensureUpdatedPausedCondition(ctx, m, desiredCondition, + fmt.Sprintf("%v: machine .status.authoritativeAPI is set to '%s', unpausing machine", machineName, m.Status.AuthoritativeAPI)); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to ensure paused condition: %w", err) + } else if updated { + klog.Infof("%v: setting machine paused condition to false", machineName) + } - // Set the paused condition to false, continue reconciliation - conditions.Set(m, conditions.FalseCondition( - PausedCondition, - NotPausedConditionReason, - machinev1.ConditionSeverityInfo, - "%s", - pausedFalseReason, - )) - if patchErr := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, originalConditions); patchErr != nil { - klog.Errorf("%v: error patching status: %v", machineName, patchErr) + // Fallthrough and continue reconcilation. + default: + klog.Errorf("%v: invalid .status.authoritativeAPI '%s'", machineName, m.Status.AuthoritativeAPI) + return reconcile.Result{}, nil // Do not return an error to avoid immediate requeue. } } @@ -433,6 +450,23 @@ func (r *ReconcileMachine) deleteNode(ctx context.Context, name string) error { return r.Client.Delete(ctx, &node) } +// ensureUpdatedPausedCondition updates the paused condition if needed. +func (r *ReconcileMachine) ensureUpdatedPausedCondition(ctx context.Context, m *machinev1.Machine, desiredCondition *machinev1.Condition, logMessage string) (bool, error) { + oldM := m.DeepCopy() + if !conditions.IsEquivalentTo(conditions.Get(m, PausedCondition), desiredCondition) { + klog.Info(logMessage) + conditions.Set(m, desiredCondition) + if err := r.updateStatus(ctx, m, ptr.Deref(m.Status.Phase, ""), nil, oldM.Status.Conditions); err != nil { + klog.Errorf("%v: error updating status: %v", oldM.Name, err) + return false, fmt.Errorf("error updating status for machine %s: %w", oldM.Name, err) + } + + return true, nil + } + + return false, nil +} + func delayIfRequeueAfterError(err error) (reconcile.Result, error) { var requeueAfterError *RequeueAfterError if errors.As(err, &requeueAfterError) { @@ -538,6 +572,17 @@ func (r *ReconcileMachine) updateStatus(ctx context.Context, machine *machinev1. return nil } +func (r *ReconcileMachine) patchStatusAuthoritativeAPI(ctx context.Context, machine *machinev1.Machine, authoritativeAPI machinev1.MachineAuthority) error { + baseToPatch := client.MergeFrom(machine.DeepCopy()) + machine.Status.AuthoritativeAPI = authoritativeAPI + + if err := r.Client.Status().Patch(ctx, machine, baseToPatch); err != nil { + return fmt.Errorf("error patching machine status: %w", err) + } + + return nil +} + func (r *ReconcileMachine) patchFailedMachineInstanceAnnotation(ctx context.Context, machine *machinev1.Machine) error { baseToPatch := client.MergeFrom(machine.DeepCopy()) if machine.Annotations == nil { diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go index d75b146d..5ada1b3c 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/controller/machine/drain_controller.go @@ -75,6 +75,7 @@ func (d *machineDrainController) Reconcile(ctx context.Context, request reconcil // Error reading the object - requeue the request. return reconcile.Result{}, err } + machineCopy := m.DeepCopy() existingDrainedCondition := conditions.Get(m, machinev1.MachineDrained) alreadyDrained := existingDrainedCondition != nil && existingDrainedCondition.Status == corev1.ConditionTrue @@ -110,9 +111,9 @@ func (d *machineDrainController) Reconcile(ctx context.Context, request reconcil } conditions.Set(m, drainFinishedCondition) - // requeue request in case of failed update - if err := d.Client.Status().Update(ctx, m); err != nil { - return reconcile.Result{}, fmt.Errorf("could not update machine status: %w", err) + // requeue request in case of failed patch + if err := d.Client.Status().Patch(ctx, m, client.MergeFrom(machineCopy)); err != nil { + return reconcile.Result{}, fmt.Errorf("could not patch machine status: %w", err) } return reconcile.Result{}, nil } diff --git a/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go b/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go index d2a3eafb..9a6fda8c 100644 --- a/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go +++ b/vendor/github.com/openshift/machine-api-operator/pkg/util/conditions/gettersetter.go @@ -151,6 +151,20 @@ func IsFalse(from interface{}, t machinev1.ConditionType) bool { return false } +// IsEquivalentTo returns true if condition a is equivalent to condition b, +// by checking for equality of the following fields: Type, Status, Reason, Severity and Message (it excludes LastTransitionTime). +func IsEquivalentTo(a, b *machinev1.Condition) bool { + if a == nil && b == nil { + return true + } else if a == nil { + return false + } else if b == nil { + return false + } + + return hasSameState(a, b) +} + // lexicographicLess returns true if a condition is less than another with regards to the // to order of conditions designed for convenience of the consumer, i.e. kubectl. func lexicographicLess(i, j *machinev1.Condition) bool { diff --git a/vendor/modules.txt b/vendor/modules.txt index e9df38d7..222796ca 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -286,7 +286,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e +# github.com/openshift/api v0.0.0-20250528100135-a463917701ab ## explicit; go 1.23.0 github.com/openshift/api/config/v1 github.com/openshift/api/config/v1/zz_generated.crd-manifests @@ -316,7 +316,7 @@ github.com/openshift/client-go/machine/listers/machine/v1beta1 github.com/openshift/library-go/pkg/config/clusterstatus github.com/openshift/library-go/pkg/config/leaderelection github.com/openshift/library-go/pkg/features -# github.com/openshift/machine-api-operator v0.2.1-0.20250331230956-c6b86e48e8fd +# github.com/openshift/machine-api-operator v0.2.1-0.20250704070513-81d86b5a1ef5 ## explicit; go 1.23.0 github.com/openshift/machine-api-operator/pkg/controller/machine github.com/openshift/machine-api-operator/pkg/metrics