diff --git a/go.mod b/go.mod index eb7452068..696c54dc6 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,9 @@ go 1.20 require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/go-bindata/go-bindata v3.1.2+incompatible - github.com/openshift/api v0.0.0-20231128213045-03f577bfbd59 + github.com/openshift/api v0.0.0-20231212152002-ef62af078a93 github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533 - github.com/openshift/client-go v0.0.0-20231121143148-910ca30a1a9a + github.com/openshift/client-go v0.0.0-20231212205830-0ab0864ec8c2 github.com/openshift/library-go v0.0.0-20231017173800-126f85ed0cc7 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 73d70de6c..5cdcbf8ee 100644 --- a/go.sum +++ b/go.sum @@ -234,12 +234,12 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= -github.com/openshift/api v0.0.0-20231128213045-03f577bfbd59 h1:NYU5fgM78oN7QggWe3miTLHdx6G8RG/awdm64/2QlHE= -github.com/openshift/api v0.0.0-20231128213045-03f577bfbd59/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU= +github.com/openshift/api v0.0.0-20231212152002-ef62af078a93 h1:hNj5+Wz2nZLNW1Sryj4r6R4tLAIZ+PJQd1k24kvga7g= +github.com/openshift/api v0.0.0-20231212152002-ef62af078a93/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU= github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533 h1:mh3ZYs7kPIIe3UUY6tJcTExmtjnXXUu0MrBuK2W/Qvw= github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= -github.com/openshift/client-go v0.0.0-20231121143148-910ca30a1a9a h1:4FVrw8hz0Wb3izbf6JfOEK+pJTYpEvteRR73mCh2g/A= -github.com/openshift/client-go v0.0.0-20231121143148-910ca30a1a9a/go.mod h1:arApQobmOjZqtxw44TwnQdUCH+t9DgZ8geYPFqksHws= +github.com/openshift/client-go v0.0.0-20231212205830-0ab0864ec8c2 h1:ArsCqZ2t7Jepm44YxW/4t2q1bPcqiyn5erNwpfbk8dE= +github.com/openshift/client-go v0.0.0-20231212205830-0ab0864ec8c2/go.mod h1:rk91ouw63QUVu2NfUt09MSJT4W54q5J5EV94f87jNC8= github.com/openshift/library-go v0.0.0-20231017173800-126f85ed0cc7 h1:pJLcCSJzdiWCaJ4bAepgnvwMdP33LumbVJyWSW7+3ng= github.com/openshift/library-go v0.0.0-20231017173800-126f85ed0cc7/go.mod h1:jgxNp8aApJnZtECid9SUSr5Bu6DLo8Hfdv1DgFZaYA8= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/vendor/github.com/openshift/api/Dockerfile.rhel8 b/vendor/github.com/openshift/api/Dockerfile.rhel8 index a78178319..25b1b857c 100644 --- a/vendor/github.com/openshift/api/Dockerfile.rhel8 +++ b/vendor/github.com/openshift/api/Dockerfile.rhel8 @@ -1,10 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.20-openshift-4.15 AS builder +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.20-openshift-4.16 AS builder WORKDIR /go/src/github.com/openshift/api COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.15:base-rhel9 +FROM registry.ci.openshift.org/ocp/4.16:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ @@ -12,23 +12,11 @@ COPY --from=builder /go/src/github.com/openshift/api/write-available-featuresets # this directory is used to produce rendered manifests that the installer applies (but does not maintain) in bootkube RUN mkdir -p /usr/share/bootkube/manifests/manifests -COPY config/v1/*_config-operator_*.yaml /usr/share/bootkube/manifests/manifests -COPY quota/v1/*.crd.yaml /usr/share/bootkube/manifests/manifests -COPY security/v1/*.crd.yaml /usr/share/bootkube/manifests/manifests -COPY securityinternal/v1/*.crd.yaml /usr/share/bootkube/manifests/manifests -COPY authorization/v1/*.crd.yaml /usr/share/bootkube/manifests/manifests -COPY operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml /usr/share/bootkube/manifests/manifests +COPY payload-manifests/crds/* /usr/share/bootkube/manifests/manifests # these are applied by the CVO COPY manifests /manifests -# TODO copy these back when we're ready to make the switch from cluster-config-operator to here -#COPY config/v1/*_config-operator_*.yaml /manifests -#COPY quota/v1/*.crd.yaml /manifests -#COPY security/v1/*.crd.yaml /manifests -#COPY securityinternal/v1/*.crd.yaml /manifests -#COPY authorization/v1/*.crd.yaml /manifests -#COPY operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml /manifests -#COPY operator/v1/0000_10_config-operator_*.yaml /manifests -#COPY payload-command/empty-resources /manifests +COPY payload-manifests/crds/* /manifests +COPY payload-command/empty-resources /manifests LABEL io.openshift.release.operator true diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index 69eee4376..3155c6830 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -49,6 +49,7 @@ verify-scripts: bash -x hack/verify-integration-tests.sh bash -x hack/verify-group-versions.sh bash -x hack/verify-prerelease-lifecycle-gen.sh + hack/verify-payload-crds.sh .PHONY: verify verify: verify-scripts verify-crd-schema verify-codegen-crds @@ -76,7 +77,7 @@ verify-%: ################################################################################################ .PHONY: update-scripts -update-scripts: update-compatibility update-openapi update-deepcopy update-protobuf update-swagger-docs tests-vendor update-prerelease-lifecycle-gen +update-scripts: update-compatibility update-openapi update-deepcopy update-protobuf update-swagger-docs tests-vendor update-prerelease-lifecycle-gen update-payload-crds .PHONY: update-compatibility update-compatibility: @@ -102,6 +103,10 @@ update-swagger-docs: update-prerelease-lifecycle-gen: hack/update-prerelease-lifecycle-gen.sh +.PHONY: update-payload-crds +update-payload-crds: + hack/update-payload-crds.sh + ##################### # # END: Update scripts diff --git a/vendor/github.com/openshift/api/README.md b/vendor/github.com/openshift/api/README.md index 0c4e034b3..3d13b8c98 100644 --- a/vendor/github.com/openshift/api/README.md +++ b/vendor/github.com/openshift/api/README.md @@ -46,7 +46,7 @@ Since Kubernetes 1.16, every CRD created in `apiextensions.k8s.io/v1` is require These schemas are often very long and complex, and should not be written by hand. For OpenShift, we provide Makefile targets in [build-machinery-go](https://github.com/openshift/build-machinery-go/) which generate the schema, built on upstream's [controller-gen](https://github.com/kubernetes-sigs/controller-tools) tool. -If you make a change to a CRD type in this repo, simply calling `make update-codegen-crds` should regenerate all CRDs and update the manifests. If yours is not updated, ensure that the path to its API is included in our [calls to the Makefile targets](https://github.com/openshift/api/blob/release-4.5/Makefile#L17-L29). +If you make a change to a CRD type in this repo, simply calling `make update-codegen-crds` should regenerate all CRDs and update the manifests. If yours is not updated, ensure that the path to its API is included in our [calls to the Makefile targets](https://github.com/openshift/api/blob/release-4.5/Makefile#L17-L29), if this doesn't help try calling `make generate-with-container` for executing the generators in a controlled environment. To add this generator to another repo: 1. Vendor `github.com/openshift/build-machinery-go` diff --git a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..a3d357686 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-CustomNoUpgrade.crd.yaml @@ -0,0 +1,503 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/495 + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: clusterversions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterVersion + plural: clusterversions + singular: clusterversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.history[?(@.state=="Completed")].version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].lastTransitionTime + name: Since + type: date + - jsonPath: .status.conditions[?(@.type=="Progressing")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster. + type: object + required: + - clusterID + properties: + capabilities: + description: capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics. + type: object + properties: + additionalEnabledCapabilities: + description: additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + baselineCapabilitySet: + description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent. + type: string + enum: + - None + - v4.11 + - v4.12 + - v4.13 + - v4.14 + - v4.15 + - vCurrent + channel: + description: channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field. + type: string + desiredUpdate: + description: "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail. \n Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error. \n If an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed." + type: object + properties: + architecture: + description: architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty. + type: string + enum: + - Multi + - "" + force: + description: force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources. + type: boolean + image: + description: image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + type: string + version: + description: version is a semantic version identifying the update version. version is ignored if image is specified and required if architecture is specified. + type: string + x-kubernetes-validations: + - rule: 'has(self.architecture) && has(self.image) ? (self.architecture == '''' || self.image == '''') : true' + message: cannot set both Architecture and Image + - rule: 'has(self.architecture) && self.architecture != '''' ? self.version != '''' : true' + message: Version must be set if Architecture is set + overrides: + description: overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object. + type: array + items: + description: ComponentOverride allows overriding cluster version operator's behavior for a component. + type: object + required: + - group + - kind + - name + - namespace + - unmanaged + properties: + group: + description: group identifies the API group that the kind is in. + type: string + kind: + description: kind indentifies which object to override. + type: string + name: + description: name is the component's name. + type: string + namespace: + description: namespace is the component's namespace. If the resource is cluster scoped, the namespace should be empty. + type: string + unmanaged: + description: 'unmanaged controls if cluster version operator should stop managing the resources in this cluster. Default: false' + type: boolean + x-kubernetes-list-map-keys: + - kind + - group + - namespace + - name + x-kubernetes-list-type: map + signatureStores: + description: "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle. \n By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n A maximum of 32 signature stores may be configured." + type: array + maxItems: 32 + items: + description: SignatureStore represents the URL of custom Signature Store + type: object + required: + - url + properties: + ca: + description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config map + type: string + url: + description: url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty. + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: url must be a valid absolute URL + x-kubernetes-list-map-keys: + - url + x-kubernetes-list-type: map + upstream: + description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region. + type: string + status: + description: status contains information about the available updates and any in-progress updates. + type: object + required: + - availableUpdates + - desired + - observedGeneration + - versionHash + properties: + availableUpdates: + description: availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified. + type: array + items: + description: Release represents an OpenShift release image and associated metadata. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + nullable: true + x-kubernetes-list-type: atomic + capabilities: + description: capabilities describes the state of optional, core cluster components. + type: object + properties: + enabledCapabilities: + description: enabledCapabilities lists all the capabilities that are currently managed. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + knownCapabilities: + description: knownCapabilities lists all the capabilities known to the current cluster. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + conditionalUpdates: + description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. + type: array + items: + description: ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster. + type: object + required: + - release + - risks + properties: + conditions: + description: 'conditions represents the observations of the conditional update''s current status. Known types are: * Evaluating, for whether the cluster-version operator will attempt to evaluate any risks[].matchingRules. * Recommended, for whether the update is recommended for the current cluster.' + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + risks: + description: risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update. + type: array + minItems: 1 + items: + description: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. + type: object + required: + - matchingRules + - message + - name + - url + properties: + matchingRules: + description: matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended. + type: array + minItems: 1 + items: + description: ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate. + type: object + required: + - type + properties: + promql: + description: promQL represents a cluster condition based on PromQL. + type: object + required: + - promql + properties: + promql: + description: PromQL is a PromQL query classifying clusters. This query query should return a 1 in the match case and a 0 in the does-not-match case. Queries which return no time series, or which return values besides 0 or 1, are evaluation failures. + type: string + type: + description: type represents the cluster-condition type. This defines the members and semantics of any additional properties. + type: string + enum: + - Always + - PromQL + x-kubernetes-list-type: atomic + message: + description: message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines. + type: string + minLength: 1 + name: + description: name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state. + type: string + minLength: 1 + url: + description: url contains information about this risk. + type: string + format: uri + minLength: 1 + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + conditions: + description: conditions provides information about the cluster version. The condition "Available" is set to true if the desiredUpdate has been reached. The condition "Progressing" is set to true if an update is being applied. The condition "Degraded" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation. + type: array + items: + description: ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components. + type: object + required: + - lastTransitionTime + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update to the current status property. + type: string + format: date-time + message: + description: message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines. + type: string + reason: + description: reason is the CamelCase reason for the condition's current status. + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the aspect reported by this condition. + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + desired: + description: desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + history: + description: history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved. + type: array + items: + description: UpdateHistory is a single attempted update to the cluster. + type: object + required: + - completionTime + - image + - startedTime + - state + - verified + properties: + acceptedRisks: + description: acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. + type: string + completionTime: + description: completionTime, if set, is when the update was fully applied. The update that is currently being applied will have a null completion time. Completion time will always be set for entries that are not the current update (usually to the started time of the next update). + type: string + format: date-time + nullable: true + image: + description: image is a container image location that contains the update. This value is always populated. + type: string + startedTime: + description: startedTime is the time at which the update was started. + type: string + format: date-time + state: + description: state reflects whether the update was fully applied. The Partial state indicates the update is not fully applied, while the Completed state indicates the update was successfully rolled out at least once (all parts of the update successfully applied). + type: string + verified: + description: verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted. + type: boolean + version: + description: version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty. + type: string + x-kubernetes-list-type: atomic + observedGeneration: + description: observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version. + type: integer + format: int64 + versionHash: + description: versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only. + type: string + x-kubernetes-validations: + - rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''baremetal'' in self.spec.capabilities.additionalEnabledCapabilities ? ''MachineAPI'' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && ''MachineAPI'' in self.status.capabilities.enabledCapabilities) : true' + message: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''marketplace'' in self.spec.capabilities.additionalEnabledCapabilities ? ''OperatorLifecycleManager'' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && ''OperatorLifecycleManager'' in self.status.capabilities.enabledCapabilities) : true' + message: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml similarity index 97% rename from vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml rename to vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml index 9beee903a..6d802f0ca 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml @@ -5,6 +5,7 @@ metadata: api-approved.openshift.io: https://github.com/openshift/api/pull/495 include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: Default name: clusterversions.config.openshift.io spec: group: config.openshift.io @@ -76,6 +77,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic baselineCapabilitySet: description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent. @@ -146,6 +148,12 @@ spec: unmanaged: description: 'unmanaged controls if cluster version operator should stop managing the resources in this cluster. Default: false' type: boolean + x-kubernetes-list-map-keys: + - kind + - group + - namespace + - name + x-kubernetes-list-type: map upstream: description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region. type: string @@ -170,6 +178,7 @@ spec: type: array items: type: string + x-kubernetes-list-type: set image: description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. type: string @@ -180,6 +189,7 @@ spec: description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. type: string nullable: true + x-kubernetes-list-type: atomic capabilities: description: capabilities describes the state of optional, core cluster components. type: object @@ -204,6 +214,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic knownCapabilities: description: knownCapabilities lists all the capabilities known to the current cluster. @@ -225,6 +236,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic conditionalUpdates: description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. @@ -292,6 +304,7 @@ spec: type: array items: type: string + x-kubernetes-list-type: set image: description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. type: string @@ -384,6 +397,9 @@ spec: type: description: type specifies the aspect reported by this condition. type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map desired: description: desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag. type: object @@ -393,6 +409,7 @@ spec: type: array items: type: string + x-kubernetes-list-type: set image: description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. type: string @@ -439,6 +456,7 @@ spec: version: description: version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty. type: string + x-kubernetes-list-type: atomic observedGeneration: description: observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version. type: integer diff --git a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..878a71fa6 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,503 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/495 + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: clusterversions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterVersion + plural: clusterversions + singular: clusterversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.history[?(@.state=="Completed")].version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].lastTransitionTime + name: Since + type: date + - jsonPath: .status.conditions[?(@.type=="Progressing")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster. + type: object + required: + - clusterID + properties: + capabilities: + description: capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics. + type: object + properties: + additionalEnabledCapabilities: + description: additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + baselineCapabilitySet: + description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent. + type: string + enum: + - None + - v4.11 + - v4.12 + - v4.13 + - v4.14 + - v4.15 + - vCurrent + channel: + description: channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field. + type: string + desiredUpdate: + description: "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail. \n Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error. \n If an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed." + type: object + properties: + architecture: + description: architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty. + type: string + enum: + - Multi + - "" + force: + description: force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources. + type: boolean + image: + description: image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + type: string + version: + description: version is a semantic version identifying the update version. version is ignored if image is specified and required if architecture is specified. + type: string + x-kubernetes-validations: + - rule: 'has(self.architecture) && has(self.image) ? (self.architecture == '''' || self.image == '''') : true' + message: cannot set both Architecture and Image + - rule: 'has(self.architecture) && self.architecture != '''' ? self.version != '''' : true' + message: Version must be set if Architecture is set + overrides: + description: overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object. + type: array + items: + description: ComponentOverride allows overriding cluster version operator's behavior for a component. + type: object + required: + - group + - kind + - name + - namespace + - unmanaged + properties: + group: + description: group identifies the API group that the kind is in. + type: string + kind: + description: kind indentifies which object to override. + type: string + name: + description: name is the component's name. + type: string + namespace: + description: namespace is the component's namespace. If the resource is cluster scoped, the namespace should be empty. + type: string + unmanaged: + description: 'unmanaged controls if cluster version operator should stop managing the resources in this cluster. Default: false' + type: boolean + x-kubernetes-list-map-keys: + - kind + - group + - namespace + - name + x-kubernetes-list-type: map + signatureStores: + description: "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle. \n By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n A maximum of 32 signature stores may be configured." + type: array + maxItems: 32 + items: + description: SignatureStore represents the URL of custom Signature Store + type: object + required: + - url + properties: + ca: + description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config map + type: string + url: + description: url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty. + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: url must be a valid absolute URL + x-kubernetes-list-map-keys: + - url + x-kubernetes-list-type: map + upstream: + description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region. + type: string + status: + description: status contains information about the available updates and any in-progress updates. + type: object + required: + - availableUpdates + - desired + - observedGeneration + - versionHash + properties: + availableUpdates: + description: availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified. + type: array + items: + description: Release represents an OpenShift release image and associated metadata. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + nullable: true + x-kubernetes-list-type: atomic + capabilities: + description: capabilities describes the state of optional, core cluster components. + type: object + properties: + enabledCapabilities: + description: enabledCapabilities lists all the capabilities that are currently managed. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + knownCapabilities: + description: knownCapabilities lists all the capabilities known to the current cluster. + type: array + items: + description: ClusterVersionCapability enumerates optional, core cluster components. + type: string + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + x-kubernetes-list-type: atomic + conditionalUpdates: + description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. + type: array + items: + description: ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster. + type: object + required: + - release + - risks + properties: + conditions: + description: 'conditions represents the observations of the conditional update''s current status. Known types are: * Evaluating, for whether the cluster-version operator will attempt to evaluate any risks[].matchingRules. * Recommended, for whether the update is recommended for the current cluster.' + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + risks: + description: risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update. + type: array + minItems: 1 + items: + description: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. + type: object + required: + - matchingRules + - message + - name + - url + properties: + matchingRules: + description: matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended. + type: array + minItems: 1 + items: + description: ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate. + type: object + required: + - type + properties: + promql: + description: promQL represents a cluster condition based on PromQL. + type: object + required: + - promql + properties: + promql: + description: PromQL is a PromQL query classifying clusters. This query query should return a 1 in the match case and a 0 in the does-not-match case. Queries which return no time series, or which return values besides 0 or 1, are evaluation failures. + type: string + type: + description: type represents the cluster-condition type. This defines the members and semantics of any additional properties. + type: string + enum: + - Always + - PromQL + x-kubernetes-list-type: atomic + message: + description: message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines. + type: string + minLength: 1 + name: + description: name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state. + type: string + minLength: 1 + url: + description: url contains information about this risk. + type: string + format: uri + minLength: 1 + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + conditions: + description: conditions provides information about the cluster version. The condition "Available" is set to true if the desiredUpdate has been reached. The condition "Progressing" is set to true if an update is being applied. The condition "Degraded" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation. + type: array + items: + description: ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components. + type: object + required: + - lastTransitionTime + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update to the current status property. + type: string + format: date-time + message: + description: message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines. + type: string + reason: + description: reason is the CamelCase reason for the condition's current status. + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the aspect reported by this condition. + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + desired: + description: desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag. + type: object + properties: + channels: + description: channels is the set of Cincinnati channels to which the release currently belongs. + type: array + items: + type: string + x-kubernetes-list-type: set + image: + description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version. + type: string + url: + description: url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases. + type: string + version: + description: version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified. + type: string + history: + description: history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved. + type: array + items: + description: UpdateHistory is a single attempted update to the cluster. + type: object + required: + - completionTime + - image + - startedTime + - state + - verified + properties: + acceptedRisks: + description: acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. + type: string + completionTime: + description: completionTime, if set, is when the update was fully applied. The update that is currently being applied will have a null completion time. Completion time will always be set for entries that are not the current update (usually to the started time of the next update). + type: string + format: date-time + nullable: true + image: + description: image is a container image location that contains the update. This value is always populated. + type: string + startedTime: + description: startedTime is the time at which the update was started. + type: string + format: date-time + state: + description: state reflects whether the update was fully applied. The Partial state indicates the update is not fully applied, while the Completed state indicates the update was successfully rolled out at least once (all parts of the update successfully applied). + type: string + verified: + description: verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted. + type: boolean + version: + description: version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty. + type: string + x-kubernetes-list-type: atomic + observedGeneration: + description: observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version. + type: integer + format: int64 + versionHash: + description: versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only. + type: string + x-kubernetes-validations: + - rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''baremetal'' in self.spec.capabilities.additionalEnabledCapabilities ? ''MachineAPI'' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && ''MachineAPI'' in self.status.capabilities.enabledCapabilities) : true' + message: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''marketplace'' in self.spec.capabilities.additionalEnabledCapabilities ? ''OperatorLifecycleManager'' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && ''OperatorLifecycleManager'' in self.status.capabilities.enabledCapabilities) : true' + message: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml index b7954d79a..597344ff0 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml @@ -163,6 +163,50 @@ spec: description: Name of the OIDC provider type: string minLength: 1 + oidcClients: + description: OIDCClients contains configuration for the platform's clients that need to request tokens from the issuer + type: array + maxItems: 20 + items: + type: object + required: + - clientID + - componentName + - componentNamespace + properties: + clientID: + description: ClientID is the identifier of the OIDC client from the OIDC provider + type: string + minLength: 1 + clientSecret: + description: ClientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + componentName: + description: ComponentName is the name of the component that is supposed to consume this client configuration + type: string + maxLength: 256 + minLength: 1 + componentNamespace: + description: ComponentNamespace is the namespace of the component that is supposed to consume this client configuration + type: string + maxLength: 63 + minLength: 1 + extraScopes: + description: ExtraScopes is an optional set of scopes to request tokens with. + type: array + items: + type: string + x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map @@ -217,3 +261,114 @@ spec: name: description: name is the metadata.name of the referenced config map type: string + oidcClients: + description: OIDCClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. + type: array + maxItems: 20 + items: + type: object + required: + - componentName + - componentNamespace + properties: + componentName: + description: ComponentName is the name of the component that will consume a client configuration. + type: string + maxLength: 256 + minLength: 1 + componentNamespace: + description: ComponentNamespace is the namespace of the component that will consume a client configuration. + type: string + maxLength: 63 + minLength: 1 + conditions: + description: "Conditions are used to communicate the state of the `oidcClients` entry. \n Supported conditions include Available, Degraded and Progressing. \n If Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry." + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: ConsumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret. + type: array + maxItems: 5 + items: + description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. + type: string + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + x-kubernetes-list-type: set + currentOIDCClients: + description: CurrentOIDCClients is a list of clients that the component is currently using. + type: array + items: + type: object + required: + - clientID + - issuerURL + - oidcProviderName + properties: + clientID: + description: ClientID is the identifier of the OIDC client from the OIDC provider + type: string + minLength: 1 + issuerURL: + description: URL is the serving URL of the token issuer. Must use the https:// scheme. + type: string + pattern: ^https:\/\/[^\s] + oidcProviderName: + description: OIDCName refers to the `name` of the provider from `oidcProviders` + type: string + minLength: 1 + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + x-kubernetes-validations: + - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))' + message: all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml index e8047a40b..d475dec95 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml @@ -163,6 +163,50 @@ spec: description: Name of the OIDC provider type: string minLength: 1 + oidcClients: + description: OIDCClients contains configuration for the platform's clients that need to request tokens from the issuer + type: array + maxItems: 20 + items: + type: object + required: + - clientID + - componentName + - componentNamespace + properties: + clientID: + description: ClientID is the identifier of the OIDC client from the OIDC provider + type: string + minLength: 1 + clientSecret: + description: ClientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + componentName: + description: ComponentName is the name of the component that is supposed to consume this client configuration + type: string + maxLength: 256 + minLength: 1 + componentNamespace: + description: ComponentNamespace is the namespace of the component that is supposed to consume this client configuration + type: string + maxLength: 63 + minLength: 1 + extraScopes: + description: ExtraScopes is an optional set of scopes to request tokens with. + type: array + items: + type: string + x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map @@ -217,3 +261,114 @@ spec: name: description: name is the metadata.name of the referenced config map type: string + oidcClients: + description: OIDCClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. + type: array + maxItems: 20 + items: + type: object + required: + - componentName + - componentNamespace + properties: + componentName: + description: ComponentName is the name of the component that will consume a client configuration. + type: string + maxLength: 256 + minLength: 1 + componentNamespace: + description: ComponentNamespace is the namespace of the component that will consume a client configuration. + type: string + maxLength: 63 + minLength: 1 + conditions: + description: "Conditions are used to communicate the state of the `oidcClients` entry. \n Supported conditions include Available, Degraded and Progressing. \n If Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry." + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: ConsumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret. + type: array + maxItems: 5 + items: + description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. + type: string + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + x-kubernetes-list-type: set + currentOIDCClients: + description: CurrentOIDCClients is a list of clients that the component is currently using. + type: array + items: + type: object + required: + - clientID + - issuerURL + - oidcProviderName + properties: + clientID: + description: ClientID is the identifier of the OIDC client from the OIDC provider + type: string + minLength: 1 + issuerURL: + description: URL is the serving URL of the token issuer. Must use the https:// scheme. + type: string + pattern: ^https:\/\/[^\s] + oidcProviderName: + description: OIDCName refers to the `name` of the provider from `oidcProviders` + type: string + minLength: 1 + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + x-kubernetes-validations: + - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))' + message: all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-CustomNoUpgrade.crd.yaml index 177d4b203..89e2e0d60 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-CustomNoUpgrade.crd.yaml @@ -66,52 +66,14 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. type: object baremetal: description: BareMetal contains settings specific to the BareMetal platform. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' equinixMetal: description: EquinixMetal contains settings specific to the Equinix Metal infrastructure provider. type: object @@ -269,46 +231,7 @@ spec: type: object openstack: description: OpenStack contains settings specific to the OpenStack infrastructure provider. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' ovirt: description: Ovirt contains settings specific to the oVirt infrastructure provider. type: object @@ -362,18 +285,6 @@ spec: vsphere: description: VSphere contains settings specific to the VSphere infrastructure provider. properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' failureDomains: description: failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used. items: @@ -427,6 +338,7 @@ spec: maxItems: 1 minItems: 1 type: array + x-kubernetes-list-type: atomic resourcePool: description: resourcePool is the absolute path of the resource pool where virtual machines will be created. The absolute path is of the form //host//Resources/. The maximum length of the path is 2048 characters. maxLength: 2048 @@ -457,27 +369,9 @@ spec: - zone type: object type: array - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeNetworking: description: nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found. properties: @@ -490,6 +384,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -499,6 +394,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object internal: description: internal represents the network configuration of the node that is routable only within the cluster. @@ -509,6 +405,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -518,6 +415,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object type: object vcenters: @@ -531,6 +429,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set port: description: port is the TCP port that will be used to communicate to the vCenter endpoint. When omitted, this means the user has no opinion and it is up to the platform to choose a sensible default, which is subject to change over time. format: int32 @@ -552,12 +451,8 @@ spec: maxItems: 1 minItems: 0 type: array + x-kubernetes-list-type: atomic type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' type: object type: object status: @@ -688,6 +583,7 @@ spec: type: object maxItems: 25 type: array + x-kubernetes-list-type: atomic serviceEndpoints: description: ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service. items: @@ -703,6 +599,7 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. @@ -749,6 +646,7 @@ spec: type: object maxItems: 10 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) @@ -769,6 +667,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -779,6 +678,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -795,15 +695,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for BareMetal deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string @@ -1011,6 +902,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1021,6 +913,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1051,6 +944,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set cloudName: description: cloudName is the name of the desired OpenStack cloud in the client configuration file (`clouds.yaml`). type: string @@ -1064,6 +958,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1080,15 +975,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for OpenStack deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string @@ -1106,6 +992,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1116,6 +1003,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1175,6 +1063,9 @@ spec: - url type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map zone: description: 'zone holds the default zone for the new Power VS resources created by the cluster. Note: Currently only single-zone OCP clusters are supported' type: string @@ -1216,6 +1107,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1226,6 +1118,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1242,15 +1135,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for vSphere deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-Default.crd.yaml index 2993f2f5c..865224167 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-Default.crd.yaml @@ -66,52 +66,14 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. type: object baremetal: description: BareMetal contains settings specific to the BareMetal platform. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' equinixMetal: description: EquinixMetal contains settings specific to the Equinix Metal infrastructure provider. type: object @@ -269,46 +231,7 @@ spec: type: object openstack: description: OpenStack contains settings specific to the OpenStack infrastructure provider. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' ovirt: description: Ovirt contains settings specific to the oVirt infrastructure provider. type: object @@ -362,18 +285,6 @@ spec: vsphere: description: VSphere contains settings specific to the VSphere infrastructure provider. properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' failureDomains: description: failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used. items: @@ -427,6 +338,7 @@ spec: maxItems: 1 minItems: 1 type: array + x-kubernetes-list-type: atomic resourcePool: description: resourcePool is the absolute path of the resource pool where virtual machines will be created. The absolute path is of the form //host//Resources/. The maximum length of the path is 2048 characters. maxLength: 2048 @@ -451,27 +363,9 @@ spec: - zone type: object type: array - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeNetworking: description: nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found. properties: @@ -484,6 +378,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -493,6 +388,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object internal: description: internal represents the network configuration of the node that is routable only within the cluster. @@ -503,6 +399,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -512,6 +409,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object type: object vcenters: @@ -525,6 +423,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set port: description: port is the TCP port that will be used to communicate to the vCenter endpoint. When omitted, this means the user has no opinion and it is up to the platform to choose a sensible default, which is subject to change over time. format: int32 @@ -546,12 +445,8 @@ spec: maxItems: 1 minItems: 0 type: array + x-kubernetes-list-type: atomic type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' type: object type: object status: @@ -682,6 +577,7 @@ spec: type: object maxItems: 25 type: array + x-kubernetes-list-type: atomic serviceEndpoints: description: ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service. items: @@ -697,6 +593,7 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. @@ -743,6 +640,7 @@ spec: type: object maxItems: 10 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) @@ -763,6 +661,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -773,14 +672,6 @@ spec: type: string maxItems: 2 type: array - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for BareMetal deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. @@ -906,6 +797,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -916,6 +808,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set type: object openstack: description: OpenStack contains settings specific to the OpenStack infrastructure provider. @@ -930,6 +823,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set cloudName: description: cloudName is the name of the desired OpenStack cloud in the client configuration file (`clouds.yaml`). type: string @@ -943,6 +837,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -959,15 +854,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for OpenStack deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string @@ -985,6 +871,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -995,6 +882,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set nodeDNSIP: description: 'deprecated: as of 4.6, this field is no longer set or honored. It will be removed in a future release.' type: string @@ -1038,6 +926,9 @@ spec: - url type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map zone: description: 'zone holds the default zone for the new Power VS resources created by the cluster. Note: Currently only single-zone OCP clusters are supported' type: string @@ -1079,6 +970,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1089,14 +981,6 @@ spec: type: string maxItems: 2 type: array - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for vSphere deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-TechPreviewNoUpgrade.crd.yaml index 2936c90fd..7dac282bf 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_infrastructure-TechPreviewNoUpgrade.crd.yaml @@ -66,52 +66,14 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. type: object baremetal: description: BareMetal contains settings specific to the BareMetal platform. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' equinixMetal: description: EquinixMetal contains settings specific to the Equinix Metal infrastructure provider. type: object @@ -269,46 +231,7 @@ spec: type: object openstack: description: OpenStack contains settings specific to the OpenStack infrastructure provider. - properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' ovirt: description: Ovirt contains settings specific to the oVirt infrastructure provider. type: object @@ -362,18 +285,6 @@ spec: vsphere: description: VSphere contains settings specific to the VSphere infrastructure provider. properties: - apiServerInternalIPs: - description: apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' failureDomains: description: failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used. items: @@ -427,6 +338,7 @@ spec: maxItems: 1 minItems: 1 type: array + x-kubernetes-list-type: atomic resourcePool: description: resourcePool is the absolute path of the resource pool where virtual machines will be created. The absolute path is of the form //host//Resources/. The maximum length of the path is 2048 characters. maxLength: 2048 @@ -457,27 +369,9 @@ spec: - zone type: object type: array - ingressIPs: - description: ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can). - items: - description: IP is an IP address (for example, "10.0.0.0" or "fd00::"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*) - type: string - maxItems: 2 - type: array - x-kubernetes-list-type: set - x-kubernetes-validations: - - message: ingressIPs must contain at most one IPv4 address and at most one IPv6 address - rule: 'size(self) == 2 ? self.exists_one(x, x.contains('':'')) : true' - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeNetworking: description: nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found. properties: @@ -490,6 +384,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -499,6 +394,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object internal: description: internal represents the network configuration of the node that is routable only within the cluster. @@ -509,6 +405,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: atomic network: description: network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'` type: string @@ -518,6 +415,7 @@ spec: format: cidr type: string type: array + x-kubernetes-list-type: set type: object type: object vcenters: @@ -531,6 +429,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set port: description: port is the TCP port that will be used to communicate to the vCenter endpoint. When omitted, this means the user has no opinion and it is up to the platform to choose a sensible default, which is subject to change over time. format: int32 @@ -552,12 +451,8 @@ spec: maxItems: 1 minItems: 0 type: array + x-kubernetes-list-type: atomic type: object - x-kubernetes-validations: - - message: apiServerInternalIPs list is required once set - rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' - - message: ingressIPs list is required once set - rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' type: object type: object status: @@ -688,6 +583,7 @@ spec: type: object maxItems: 25 type: array + x-kubernetes-list-type: atomic serviceEndpoints: description: ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service. items: @@ -703,6 +599,7 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object azure: description: Azure contains settings specific to the Azure infrastructure provider. @@ -749,6 +646,7 @@ spec: type: object maxItems: 10 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) @@ -769,6 +667,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -779,6 +678,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -795,15 +695,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for BareMetal deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string @@ -1011,6 +902,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1021,6 +913,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1051,6 +944,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set cloudName: description: cloudName is the name of the desired OpenStack cloud in the client configuration file (`clouds.yaml`). type: string @@ -1064,6 +958,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1080,15 +975,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for OpenStack deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string @@ -1106,6 +992,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1116,6 +1003,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1175,6 +1063,9 @@ spec: - url type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map zone: description: 'zone holds the default zone for the new Power VS resources created by the cluster. Note: Currently only single-zone OCP clusters are supported' type: string @@ -1216,6 +1107,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set ingressIP: description: "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names. \n Deprecated: Use IngressIPs instead." type: string @@ -1226,6 +1118,7 @@ spec: type: string maxItems: 2 type: array + x-kubernetes-list-type: set loadBalancer: default: type: OpenShiftManagedDefault @@ -1242,15 +1135,6 @@ spec: - message: type is immutable once set rule: oldSelf == '' || self == oldSelf type: object - machineNetworks: - description: machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - items: - description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - pattern: (^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) - type: string - maxItems: 32 - type: array - x-kubernetes-list-type: set nodeDNSIP: description: nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for vSphere deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster. type: string diff --git a/vendor/github.com/openshift/api/config/v1/custom.authentication.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/custom.authentication.testsuite.yaml index aceb3ebd6..1dccb080a 100644 --- a/vendor/github.com/openshift/api/config/v1/custom.authentication.testsuite.yaml +++ b/vendor/github.com/openshift/api/config/v1/custom.authentication.testsuite.yaml @@ -12,3 +12,262 @@ tests: apiVersion: config.openshift.io/v1 kind: Authentication spec: {} + - name: Cannot set username claim prefix with policy NoPrefix + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: NoPrefix + prefix: + prefixString: "myoidc:" + expectedError: "prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" + - name: Can set username claim prefix with policy Prefix + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: Prefix + prefix: + prefixString: "myoidc:" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: Prefix + prefix: + prefixString: "myoidc:" + - name: Cannot leave username claim prefix blank with policy Prefix + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: Prefix + expectedError: "prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" + - name: Can set OIDC providers with no username prefixing + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: NoPrefix + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + prefixPolicy: NoPrefix + onUpdate: + - name: Updating OIDC provider with a client that's not in the status + initial: &initConfig | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: someclient + - componentNamespace: namespace + componentName: name + clientID: legitclient + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + updated: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: someclient + - componentNamespace: namespace + componentName: name + clientID: legitclient + - componentNamespace: dif-namespace # new client here + componentName: tehName + clientID: cool-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expectedError: "all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" + - name: Updating OIDC provider with a client that's different from the previous one + initial: *initConfig + updated: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: dif-namespace + componentName: tehName + clientID: cool-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expectedError: "all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" + - name: Updating previously existing client + initial: *initConfig + updated: &prevExistingUpdated | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *prevExistingUpdated + - name: Removing a configured client from the status (== component unregister) + initial: *initConfig + updated: &removeFromStatus | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + - componentNamespace: namespace + componentName: name + clientID: legitclient + status: + oidcClients: + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *removeFromStatus + - name: Simply add a valid client + initial: *initConfig + updated: &addClient | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + - componentNamespace: namespace + componentName: name + clientID: legitclient + - componentNamespace: namespace2 + componentName: name3 + clientID: justavalidclient + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *addClient diff --git a/vendor/github.com/openshift/api/config/v1/custom.clusterversion.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/custom.clusterversion.testsuite.yaml new file mode 100644 index 000000000..f3090558b --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/custom.clusterversion.testsuite.yaml @@ -0,0 +1,472 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[CustomNoUpgrade] ClusterVersion" +crd: 0000_00_cluster-version-operator_01_clusterversion-CustomNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ClusterVersion + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + - name: Should allow image to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + - name: Should allow version to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + version: 4.11.1 + - name: Should allow architecture to be empty + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: "" + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: "" + version: 4.11.1 + - name: Should allow architecture and version to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + - name: Version must be set if architecture is set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + expectedError: "Version must be set if Architecture is set" + - name: Should not allow image and architecture to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should be able to create a ClusterVersion with base capability None, and additional capabilities baremetal and MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + - name: Should not be able to create a ClusterVersion with base capability None, and additional capabilities baremetal without MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + expectedError: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - name: Should be able to create a ClusterVersion with base capability None, and additional capabilities marketplace and OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + - name: Should not be able to create a ClusterVersion with base capability None, and additional capabilities marketplace without OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + expectedError: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability + - name: Should be able to set a custom signature store + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus.ocp.com" + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus.ocp.com" + - name: Should be able to set multiple custom signature store + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" + - name: Invalid custom signature store should throw error + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "osus1.ocp.com" + expectedError: "url must be a valid absolute URL" + - name: Should be able to unset the signature stores + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: [] + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: [] + onUpdate: + - name: Should not allow image to be set if architecture set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should not allow architecture to be set if image set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should be able to add the baremetal capability with a ClusterVersion with base capability None, and implicitly enabled MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + - name: Should be able to add the baremetal capability with a ClusterVersion with base capability None, with the Machine API capability + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + - name: Should not be able to add the baremetal capability with a ClusterVersion with base capability None, and without MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + expectedError: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - name: Should be able to add the marketplace capability with a ClusterVersion with base capability None, and implicitly enabled OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + - name: Should be able to add the marketplace capability with a ClusterVersion with base capability None, with the OperatorLifecycleManager capability + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + - name: Should not be able to add the marketplace capability with a ClusterVersion with base capability None, and without OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + expectedError: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability diff --git a/vendor/github.com/openshift/api/config/v1/feature_gates.go b/vendor/github.com/openshift/api/config/v1/feature_gates.go index 5e165394a..dc53db89d 100644 --- a/vendor/github.com/openshift/api/config/v1/feature_gates.go +++ b/vendor/github.com/openshift/api/config/v1/feature_gates.go @@ -371,4 +371,45 @@ var ( ResponsiblePerson: "titzhak", OwningProduct: ocpSpecific, } + + FeatureGateManagedBootImages = FeatureGateName("ManagedBootImages") + managedBootImages = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateManagedBootImages, + }, + OwningJiraComponent: "MachineConfigOperator", + ResponsiblePerson: "djoshy", + OwningProduct: ocpSpecific, + } + + FeatureGateDisableKubeletCloudCredentialProviders = FeatureGateName("DisableKubeletCloudCredentialProviders") + disableKubeletCloudCredentialProviders = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateDisableKubeletCloudCredentialProviders, + }, + OwningJiraComponent: "cloud-provider", + ResponsiblePerson: "jspeed", + OwningProduct: kubernetes, + } + + + FeatureGateOnClusterBuild = FeatureGateName("OnClusterBuild") + onClusterBuild = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateOnClusterBuild, + }, + OwningJiraComponent: "MachineConfigOperator", + ResponsiblePerson: "dkhater", + OwningProduct: ocpSpecific, + } + + FeatureGateSignatureStores = FeatureGateName("SignatureStores") + signatureStores = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateSignatureStores, + }, + OwningJiraComponent: "over-the-air-updates", + ResponsiblePerson: "lmohanty", + OwningProduct: ocpSpecific, + } ) diff --git a/vendor/github.com/openshift/api/config/v1/stable.clusterversion.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/stable.clusterversion.testsuite.yaml index 50bb3e027..4c3fed149 100644 --- a/vendor/github.com/openshift/api/config/v1/stable.clusterversion.testsuite.yaml +++ b/vendor/github.com/openshift/api/config/v1/stable.clusterversion.testsuite.yaml @@ -1,6 +1,6 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this name: "[Stable] ClusterVersion" -crd: 0000_00_cluster-version-operator_01_clusterversion.crd.yaml +crd: 0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml tests: onCreate: - name: Should be able to create a minimal ClusterVersion diff --git a/vendor/github.com/openshift/api/config/v1/stable.infrastructure.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/stable.infrastructure.testsuite.yaml index 9d0861b68..025cae85a 100644 --- a/vendor/github.com/openshift/api/config/v1/stable.infrastructure.testsuite.yaml +++ b/vendor/github.com/openshift/api/config/v1/stable.infrastructure.testsuite.yaml @@ -12,176 +12,6 @@ tests: apiVersion: config.openshift.io/v1 kind: Infrastructure spec: {} - - name: Should be able to pass 2 IP addresses to apiServerInternalIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - 192.0.2.1 - - "2001:db8::1" - expected: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - 192.0.2.1 - - "2001:db8::1" - - name: Should not be able to pass not-an-IP to apiServerInternalIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - not-an-ip-address - expectedError: "Invalid value: \"not-an-ip-address\"" - - name: Should not be able to pass 2 IPv4 addresses to apiServerInternalIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - 192.0.2.1 - - 192.0.2.2 - expectedError: "apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address" - - name: Should not be able to pass 2 IPv6 addresses to apiServerInternalIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - "2001:db8::1" - - "2001:db8::2" - expectedError: "apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address" - - name: Should not be able to pass more than 2 entries to apiServerInternalIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - apiServerInternalIPs: - - 192.0.2.1 - - "2001:db8::1" - - 192.0.2.2 - expectedError: "Too many: 3: must have at most 2 items" - - name: Should be able to pass 2 IP addresses to ingressIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - 192.0.2.1 - - "2001:db8::1" - expected: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - 192.0.2.1 - - "2001:db8::1" - - name: Should not be able to pass not-an-IP to ingressIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - not-an-ip-address - expectedError: "Invalid value: \"not-an-ip-address\"" - - name: Should not be able to pass 2 IPv4 addresses to ingressIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - 192.0.2.1 - - 192.0.2.2 - expectedError: "ingressIPs must contain at most one IPv4 address and at most one IPv6 address" - - name: Should not be able to pass 2 IPv6 addresses to ingressIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - "2001:db8::1" - - "2001:db8::2" - expectedError: "ingressIPs must contain at most one IPv4 address and at most one IPv6 address" - - name: Should not be able to pass more than 2 entries to ingressIPs in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - ingressIPs: - - 192.0.2.1 - - "2001:db8::1" - - 192.0.2.2 - expectedError: "Too many: 3: must have at most 2 items" - - name: Should be able to pass 2 IP subnets addresses to machineNetworks in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - machineNetworks: - - "192.0.2.0/24" - - "2001:db8::0/32" - expected: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - machineNetworks: - - "192.0.2.0/24" - - "2001:db8::0/32" - - name: Should not be able to pass not-a-CIDR to machineNetworks in the platform spec - initial: | - apiVersion: config.openshift.io/v1 - kind: Infrastructure - spec: - platformSpec: - type: BareMetal - baremetal: - machineNetworks: - - 192.0.2.1 - expectedError: "Invalid value: \"192.0.2.1\"" onUpdate: - name: Should be able to change External platformName from unknown to something else initial: | diff --git a/vendor/github.com/openshift/api/config/v1/techpreview.authentication.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/techpreview.authentication.testsuite.yaml index b29790dbd..f904ceafa 100644 --- a/vendor/github.com/openshift/api/config/v1/techpreview.authentication.testsuite.yaml +++ b/vendor/github.com/openshift/api/config/v1/techpreview.authentication.testsuite.yaml @@ -108,3 +108,180 @@ tests: username: claim: "preferred_username" prefixPolicy: NoPrefix + onUpdate: + - name: Updating OIDC provider with a client that's not in the status + initial: &initConfig | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: someclient + - componentNamespace: namespace + componentName: name + clientID: legitclient + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + updated: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: someclient + - componentNamespace: namespace + componentName: name + clientID: legitclient + - componentNamespace: dif-namespace # new client here + componentName: tehName + clientID: cool-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expectedError: "all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" + - name: Updating OIDC provider with a client that's different from the previous one + initial: *initConfig + updated: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: dif-namespace + componentName: tehName + clientID: cool-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expectedError: "all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" + - name: Updating previously existing client + initial: *initConfig + updated: &prevExistingUpdated | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *prevExistingUpdated + - name: Removing a configured client from the status (== component unregister) + initial: *initConfig + updated: &removeFromStatus | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + - componentNamespace: namespace + componentName: name + clientID: legitclient + status: + oidcClients: + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *removeFromStatus + - name: Simply add a valid client + initial: *initConfig + updated: &addClient | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + oidcClients: + - componentNamespace: namespace + componentName: preexisting + clientID: different-client + - componentNamespace: namespace + componentName: name + clientID: legitclient + - componentNamespace: namespace2 + componentName: name3 + clientID: justavalidclient + status: + oidcClients: + - componentNamespace: namespace + componentName: name + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *addClient + - name: Remove all oidcProviders + initial: *initConfig + updated: &removeFromStatus | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + status: + oidcClients: + - componentNamespace: namespace2 + componentName: name2 + - componentNamespace: namespace2 + componentName: name3 + expected: *removeFromStatus \ No newline at end of file diff --git a/vendor/github.com/openshift/api/config/v1/techpreview.clusterversion.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/techpreview.clusterversion.testsuite.yaml new file mode 100644 index 000000000..71988108e --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/techpreview.clusterversion.testsuite.yaml @@ -0,0 +1,472 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreviewNoUpgrade] ClusterVersion" +crd: 0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ClusterVersion + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + - name: Should allow image to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + - name: Should allow version to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + version: 4.11.1 + - name: Should allow architecture to be empty + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: "" + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: "" + version: 4.11.1 + - name: Should allow architecture and version to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + - name: Version must be set if architecture is set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + expectedError: "Version must be set if Architecture is set" + - name: Should not allow image and architecture to be set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should be able to create a ClusterVersion with base capability None, and additional capabilities baremetal and MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + - name: Should not be able to create a ClusterVersion with base capability None, and additional capabilities baremetal without MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + expectedError: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - name: Should be able to create a ClusterVersion with base capability None, and additional capabilities marketplace and OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + - name: Should not be able to create a ClusterVersion with base capability None, and additional capabilities marketplace without OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + expectedError: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability + - name: Should be able to set a custom signature store + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus.ocp.com" + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus.ocp.com" + - name: Should be able to set multiple custom signature store + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" + - name: Invalid custom signature store should throw error + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: + - url: "osus1.ocp.com" + expectedError: "url must be a valid absolute URL" + - name: Should be able to unset the signature stores + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: [] + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + signatureStores: [] + onUpdate: + - name: Should not allow image to be set if architecture set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should not allow architecture to be set if image set + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + image: bar + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + desiredUpdate: + architecture: Multi + version: 4.11.1 + image: bar + expectedError: "cannot set both Architecture and Image" + - name: Should be able to add the baremetal capability with a ClusterVersion with base capability None, and implicitly enabled MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - MachineAPI + - name: Should be able to add the baremetal capability with a ClusterVersion with base capability None, with the Machine API capability + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + - MachineAPI + - name: Should not be able to add the baremetal capability with a ClusterVersion with base capability None, and without MachineAPI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - baremetal + expectedError: the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability + - name: Should be able to add the marketplace capability with a ClusterVersion with base capability None, and implicitly enabled OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + status: + desired: + version: foo + image: foo + observedGeneration: 1 + versionHash: foo + availableUpdates: + - version: foo + image: foo + capabilities: + enabledCapabilities: + - OperatorLifecycleManager + - name: Should be able to add the marketplace capability with a ClusterVersion with base capability None, with the OperatorLifecycleManager capability + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + - OperatorLifecycleManager + - name: Should not be able to add the marketplace capability with a ClusterVersion with base capability None, and without OperatorLifecycleManager + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + updated: | + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + spec: + clusterID: foo + capabilities: + baselineCapabilitySet: None + additionalEnabledCapabilities: + - marketplace + expectedError: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 72c346ce1..b9d1e0c52 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -6,6 +6,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient:nonNamespaced // +kubebuilder:subresource:status // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +openshift:validation:FeatureSetAwareXValidation:featureSet=CustomNoUpgrade;TechPreviewNoUpgrade,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -104,8 +105,15 @@ type AuthenticationStatus struct { // The namespace for this config map is openshift-config-managed. IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"` - // TODO if we add support for an in-cluster operator managed Keycloak instance - // KeycloakOAuthMetadata ConfigMapNameReference `json:"keycloakOAuthMetadata"` + // OIDCClients is where participating operators place the current OIDC client status + // for OIDC clients that can be customized by the cluster-admin. + // + // +listType=map + // +listMapKey=componentNamespace + // +listMapKey=componentName + // +kubebuilder:validation:MaxItems=20 + // +openshift:enable:FeatureSets=CustomNoUpgrade;TechPreviewNoUpgrade + OIDCClients []OIDCClientStatus `json:"oidcClients"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -192,6 +200,15 @@ type OIDCProvider struct { // +required Issuer TokenIssuer `json:"issuer"` + // OIDCClients contains configuration for the platform's clients that + // need to request tokens from the issuer + // + // +listType=map + // +listMapKey=componentNamespace + // +listMapKey=componentName + // +kubebuilder:validation:MaxItems=20 + OIDCClients []OIDCClientConfig `json:"oidcClients"` + // ClaimMappings describes rules on how to transform information from an // ID token into a cluster identity ClaimMappings TokenClaimMappings `json:"claimMappings"` @@ -253,6 +270,110 @@ type TokenClaimMapping struct { Claim string `json:"claim"` } +type OIDCClientConfig struct { + // ComponentName is the name of the component that is supposed to consume this + // client configuration + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:Required + // +required + ComponentName string `json:"componentName"` + + // ComponentNamespace is the namespace of the component that is supposed to consume this + // client configuration + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 + // +kubebuilder:validation:Required + // +required + ComponentNamespace string `json:"componentNamespace"` + + // ClientID is the identifier of the OIDC client from the OIDC provider + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Required + // +required + ClientID string `json:"clientID"` + + // ClientSecret refers to a secret in the `openshift-config` namespace that + // contains the client secret in the `clientSecret` key of the `.data` field + ClientSecret SecretNameReference `json:"clientSecret"` + + // ExtraScopes is an optional set of scopes to request tokens with. + // + // +listType=set + ExtraScopes []string `json:"extraScopes"` +} + +type OIDCClientStatus struct { + // ComponentName is the name of the component that will consume a client configuration. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:Required + // +required + ComponentName string `json:"componentName"` + + // ComponentNamespace is the namespace of the component that will consume a client configuration. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 + // +kubebuilder:validation:Required + // +required + ComponentNamespace string `json:"componentNamespace"` + + // CurrentOIDCClients is a list of clients that the component is currently using. + // + // +listType=map + // +listMapKey=issuerURL + // +listMapKey=clientID + CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` + + // ConsumingUsers is a slice of ServiceAccounts that need to have read + // permission on the `clientSecret` secret. + // + // +kubebuilder:validation:MaxItems=5 + // +listType=set + ConsumingUsers []ConsumingUser `json:"consumingUsers"` + + // Conditions are used to communicate the state of the `oidcClients` entry. + // + // Supported conditions include Available, Degraded and Progressing. + // + // If Available is true, the component is successfully using the configured client. + // If Degraded is true, that means something has gone wrong trying to handle the client configuration. + // If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + // + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +type OIDCClientReference struct { + // OIDCName refers to the `name` of the provider from `oidcProviders` + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Required + // +required + OIDCProviderName string `json:"oidcProviderName"` + + // URL is the serving URL of the token issuer. + // Must use the https:// scheme. + // + // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` + // +kubebuilder:validation:Required + // +required + IssuerURL string `json:"issuerURL"` + + // ClientID is the identifier of the OIDC client from the OIDC provider + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Required + // +required + ClientID string `json:"clientID"` +} + // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" type UsernameClaimMapping struct { TokenClaimMapping `json:",inline"` diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index e5a03bac7..0ceedbab4 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -88,9 +88,32 @@ type ClusterVersionSpec struct { // +optional Capabilities *ClusterVersionCapabilitiesSpec `json:"capabilities,omitempty"` + // signatureStores contains the upstream URIs to verify release signatures and optional + // reference to a config map by name containing the PEM-encoded CA bundle. + // + // By default, CVO will use existing signature stores if this property is empty. + // The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature + // in these stores in parallel only when local ConfigMaps did not include a valid signature. + // Validation will fail if none of the signature stores reply with valid signature before timeout. + // Setting signatureStores will replace the default signature stores with custom signature stores. + // Default stores can be used with custom signature stores by adding them manually. + // + // A maximum of 32 signature stores may be configured. + // +kubebuilder:validation:MaxItems=32 + // +openshift:enable:FeatureSets=CustomNoUpgrade;TechPreviewNoUpgrade + // +listType=map + // +listMapKey=url + // +optional + SignatureStores []SignatureStore `json:"signatureStores"` + // overrides is list of overides for components that are managed by // cluster version operator. Marking a component unmanaged will prevent // the operator from creating or updating the object. + // +listType=map + // +listMapKey=kind + // +listMapKey=group + // +listMapKey=namespace + // +listMapKey=name // +optional Overrides []ComponentOverride `json:"overrides,omitempty"` } @@ -116,6 +139,7 @@ type ClusterVersionStatus struct { // Completed if the rollout completed - if an update was failing or halfway // applied the state will be Partial. Only a limited amount of update history // is preserved. + // +listType=atomic // +optional History []UpdateHistory `json:"history,omitempty"` @@ -143,8 +167,12 @@ type ClusterVersionStatus struct { // by a temporary or permanent error. Conditions are only valid for the // current desiredUpdate when metadata.generation is equal to // status.generation. + // +listType=map + // +listMapKey=type + // +patchMergeKey=type + // +patchStrategy=merge // +optional - Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty"` + Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // availableUpdates contains updates recommended for this // cluster. Updates which appear in conditionalUpdates but not in @@ -153,6 +181,7 @@ type ClusterVersionStatus struct { // is unavailable, or if an invalid channel has been specified. // +nullable // +kubebuilder:validation:Required + // +listType=atomic // +required AvailableUpdates []Release `json:"availableUpdates"` @@ -249,7 +278,7 @@ const ( ) // ClusterVersionCapability enumerates optional, core cluster components. -// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI;Build;DeploymentConfig;ImageRegistry;OperatorLifecycleManager +// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI;Build;DeploymentConfig;ImageRegistry;OperatorLifecycleManager;CloudCredential type ClusterVersionCapability string const ( @@ -343,6 +372,10 @@ const ( // ClusterVersionCapabilityOperatorLifecycleManager manages the Operator Lifecycle Manager // which itself manages the lifecycle of operators ClusterVersionCapabilityOperatorLifecycleManager ClusterVersionCapability = "OperatorLifecycleManager" + + // ClusterVersionCapabilityCloudCredential manages credentials for cloud providers + // in openshift cluster + ClusterVersionCapabilityCloudCredential ClusterVersionCapability = "CloudCredential" ) // KnownClusterVersionCapabilities includes all known optional, core cluster components. @@ -360,6 +393,7 @@ var KnownClusterVersionCapabilities = []ClusterVersionCapability{ ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityCloudCredential, } // ClusterVersionCapabilitySet defines sets of cluster version capabilities. @@ -465,6 +499,7 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityCloudCredential, }, ClusterVersionCapabilitySetCurrent: { ClusterVersionCapabilityBaremetal, @@ -480,6 +515,7 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityCloudCredential, }, } @@ -619,6 +655,7 @@ type Release struct { // channels is the set of Cincinnati channels to which the release // currently belongs. + // +listType=set // +optional Channels []string `json:"channels,omitempty"` } @@ -749,3 +786,26 @@ type ClusterVersionList struct { Items []ClusterVersion `json:"items"` } + +// SignatureStore represents the URL of custom Signature Store +type SignatureStore struct { + + // url contains the upstream custom signature store URL. + // url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. + // This must be provided and cannot be empty. + // + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" + // +kubebuilder:validation:Required + URL string `json:"url"` + + // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + // It is used as a trust anchor to validate the TLS certificate presented by the remote server. + // The key "ca.crt" is used to locate the data. + // If specified and the config map or expected key is not found, the signature store is not honored. + // If the specified ca data is not valid, the signature store is not honored. + // If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. + // The namespace for this config map is openshift-config. + // +optional + CA ConfigMapNameReference `json:"ca"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index f4228d2f7..9ac580eac 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -159,8 +159,10 @@ type FeatureGateEnabledDisabled struct { var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{ Default: defaultFeatures, CustomNoUpgrade: { - Enabled: []FeatureGateDescription{}, - Disabled: []FeatureGateDescription{}, + Enabled: []FeatureGateDescription{}, + Disabled: []FeatureGateDescription{ + disableKubeletCloudCredentialProviders, // We do not currently ship the correct config to use the external credentials provider. + }, }, TechPreviewNoUpgrade: newDefaultFeatures(). with(validatingAdmissionPolicy). @@ -188,6 +190,10 @@ var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{ without(clusterAPIInstall). with(sdnLiveMigration). with(mixedCPUsAllocation). + with(managedBootImages). + without(disableKubeletCloudCredentialProviders). + with(onClusterBuild). + with(signatureStores). toFeatures(defaultFeatures), LatencySensitive: newDefaultFeatures(). toFeatures(defaultFeatures), @@ -206,7 +212,9 @@ var defaultFeatures = &FeatureGateEnabledDisabled{ privateHostedZoneAWS, buildCSIVolumes, }, - Disabled: []FeatureGateDescription{}, + Disabled: []FeatureGateDescription{ + disableKubeletCloudCredentialProviders, // We do not currently ship the correct config to use the external credentials provider. + }, } type featureSetBuilder struct { diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 94ace910a..848640e16 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -475,6 +475,7 @@ type AWSPlatformSpec struct { // serviceEndpoints list contains custom endpoints which will override default // service endpoint of AWS Services. // There must be only one ServiceEndpoint for a service. + // +listType=atomic // +optional ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"` } @@ -487,6 +488,7 @@ type AWSPlatformStatus struct { // ServiceEndpoints list contains custom endpoints which will override default // service endpoint of AWS Services. // There must be only one ServiceEndpoint for a service. + // +listType=atomic // +optional ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"` @@ -495,6 +497,7 @@ type AWSPlatformStatus struct { // AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags // available for the user. // +kubebuilder:validation:MaxItems=25 + // +listType=atomic // +optional ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"` } @@ -550,6 +553,7 @@ type AzurePlatformStatus struct { // may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration. // +kubebuilder:validation:MaxItems=10 // +kubebuilder:validation:XValidation:rule="self.all(x, x in oldSelf) && oldSelf.all(x, x in self)",message="resourceTags are immutable and may only be configured during installation" + // +listType=atomic // +optional ResourceTags []AzureResourceTag `json:"resourceTags,omitempty"` } @@ -729,48 +733,7 @@ type BareMetalPlatformLoadBalancer struct { // BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider. // This only includes fields that can be modified in the cluster. -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set" -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set" -type BareMetalPlatformSpec struct { - // apiServerInternalIPs are the IP addresses to contact the Kubernetes API - // server that can be used by components inside the cluster, like kubelets - // using the infrastructure rather than Kubernetes networking. These are the - // IPs for a self-hosted load balancer in front of the API servers. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.apiServerInternalIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - APIServerInternalIPs []IP `json:"apiServerInternalIPs"` - - // ingressIPs are the external IPs which route to the default ingress - // controller. The IPs are suitable targets of a wildcard DNS record used to - // resolve default route host names. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.ingressIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - IngressIPs []IP `json:"ingressIPs"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster - // nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, - // for example "10.0.0.0/8" or "fd00::/8". - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` -} +type BareMetalPlatformSpec struct{} // BareMetalPlatformStatus holds the current status of the BareMetal infrastructure provider. // For more information about the network architecture used with the BareMetal platform type, see: @@ -792,6 +755,7 @@ type BareMetalPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set APIServerInternalIPs []string `json:"apiServerInternalIPs"` // ingressIP is an external IP which routes to the default ingress controller. @@ -807,6 +771,7 @@ type BareMetalPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set IngressIPs []string `json:"ingressIPs"` // nodeDNSIP is the IP address for the internal DNS used by the @@ -823,12 +788,6 @@ type BareMetalPlatformStatus struct { // +openshift:enable:FeatureSets=CustomNoUpgrade;TechPreviewNoUpgrade // +optional LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` } // OpenStackPlatformLoadBalancer defines the load balancer used by the cluster on OpenStack platform. @@ -854,48 +813,7 @@ type OpenStackPlatformLoadBalancer struct { // OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider. // This only includes fields that can be modified in the cluster. -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set" -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set" -type OpenStackPlatformSpec struct { - // apiServerInternalIPs are the IP addresses to contact the Kubernetes API - // server that can be used by components inside the cluster, like kubelets - // using the infrastructure rather than Kubernetes networking. These are the - // IPs for a self-hosted load balancer in front of the API servers. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.apiServerInternalIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - APIServerInternalIPs []IP `json:"apiServerInternalIPs"` - - // ingressIPs are the external IPs which route to the default ingress - // controller. The IPs are suitable targets of a wildcard DNS record used to - // resolve default route host names. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.ingressIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - IngressIPs []IP `json:"ingressIPs"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster - // nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, - // for example "10.0.0.0/8" or "fd00::/8". - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` -} +type OpenStackPlatformSpec struct{} // OpenStackPlatformStatus holds the current status of the OpenStack infrastructure provider. type OpenStackPlatformStatus struct { @@ -915,6 +833,7 @@ type OpenStackPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set APIServerInternalIPs []string `json:"apiServerInternalIPs"` // cloudName is the name of the desired OpenStack cloud in the @@ -934,6 +853,7 @@ type OpenStackPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set IngressIPs []string `json:"ingressIPs"` // nodeDNSIP is the IP address for the internal DNS used by the @@ -949,12 +869,6 @@ type OpenStackPlatformStatus struct { // +kubebuilder:default={"type": "OpenShiftManagedDefault"} // +optional LoadBalancer *OpenStackPlatformLoadBalancer `json:"loadBalancer,omitempty"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` } // OvirtPlatformLoadBalancer defines the load balancer used by the cluster on Ovirt platform. @@ -1000,6 +914,7 @@ type OvirtPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set APIServerInternalIPs []string `json:"apiServerInternalIPs"` // ingressIP is an external IP which routes to the default ingress controller. @@ -1015,6 +930,7 @@ type OvirtPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set IngressIPs []string `json:"ingressIPs"` // deprecated: as of 4.6, this field is no longer set or honored. It will be removed in a future release. @@ -1115,6 +1031,7 @@ type VSpherePlatformTopology struct { // +kubebuilder:validation:Required // +kubebuilder:validation:MaxItems=1 // +kubebuilder:validation:MinItems=1 + // +listType=atomic Networks []string `json:"networks"` // datastore is the absolute path of the datastore in which the @@ -1188,6 +1105,7 @@ type VSpherePlatformVCenterSpec struct { // a topology. // +kubebuilder:validation:Required // +kubebuilder:validation:MinItems=1 + // +listType=set Datacenters []string `json:"datacenters"` } @@ -1201,6 +1119,7 @@ type VSpherePlatformNodeNetworkingSpec struct { // that will be used in respective status.addresses fields. // --- // + Validation is applied via a patch, we validate the format as cidr + // +listType=set // +optional NetworkSubnetCIDR []string `json:"networkSubnetCidr,omitempty"` @@ -1217,6 +1136,7 @@ type VSpherePlatformNodeNetworkingSpec struct { // the IP address from the VirtualMachine's VM for use in the status.addresses fields. // --- // + Validation is applied via a patch, we validate the format as cidr + // +listType=atomic // +optional ExcludeNetworkSubnetCIDR []string `json:"excludeNetworkSubnetCidr,omitempty"` } @@ -1234,8 +1154,6 @@ type VSpherePlatformNodeNetworking struct { // VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider. // In the future the cloud provider operator, storage operator and machine operator will // use these fields for configuration. -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set" -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set" type VSpherePlatformSpec struct { // vcenters holds the connection details for services to communicate with vCenter. // Currently, only a single vCenter is supported. @@ -1244,11 +1162,14 @@ type VSpherePlatformSpec struct { // + in openshift-config. // +kubebuilder:validation:MaxItems=1 // +kubebuilder:validation:MinItems=0 + // +listType=atomic // +optional VCenters []VSpherePlatformVCenterSpec `json:"vcenters,omitempty"` // failureDomains contains the definition of region, zone and the vCenter topology. // If this is omitted failure domains (regions and zones) will not be used. + // +listType=map + // +listMapKey=name // +optional FailureDomains []VSpherePlatformFailureDomainSpec `json:"failureDomains,omitempty"` @@ -1259,45 +1180,6 @@ type VSpherePlatformSpec struct { // return the first one found. // +optional NodeNetworking VSpherePlatformNodeNetworking `json:"nodeNetworking,omitempty"` - - // apiServerInternalIPs are the IP addresses to contact the Kubernetes API - // server that can be used by components inside the cluster, like kubelets - // using the infrastructure rather than Kubernetes networking. These are the - // IPs for a self-hosted load balancer in front of the API servers. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.apiServerInternalIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - APIServerInternalIPs []IP `json:"apiServerInternalIPs"` - - // ingressIPs are the external IPs which route to the default ingress - // controller. The IPs are suitable targets of a wildcard DNS record used to - // resolve default route host names. - // In dual stack clusters this list contains two IP addresses, one from IPv4 - // family and one from IPv6. - // In single stack clusters a single IP address is expected. - // When omitted, values from the status.ingressIPs will be used. - // Once set, the list cannot be completely removed (but its second entry can). - // - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="size(self) == 2 ? self.exists_one(x, x.contains(':')) : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address" - // +listType=set - // +optional - IngressIPs []IP `json:"ingressIPs"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster - // nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, - // for example "10.0.0.0/8" or "fd00::/8". - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` } // VSpherePlatformStatus holds the current status of the vSphere infrastructure provider. @@ -1318,6 +1200,7 @@ type VSpherePlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set APIServerInternalIPs []string `json:"apiServerInternalIPs"` // ingressIP is an external IP which routes to the default ingress controller. @@ -1333,6 +1216,7 @@ type VSpherePlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set IngressIPs []string `json:"ingressIPs"` // nodeDNSIP is the IP address for the internal DNS used by the @@ -1349,12 +1233,6 @@ type VSpherePlatformStatus struct { // +openshift:enable:FeatureSets=CustomNoUpgrade;TechPreviewNoUpgrade // +optional LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"` - - // machineNetworks are IP networks used to connect all the OpenShift cluster nodes. - // +listType=set - // +kubebuilder:validation:MaxItems=32 - // +optional - MachineNetworks []CIDR `json:"machineNetworks"` } // IBMCloudServiceEndpoint stores the configuration of a custom url to @@ -1505,6 +1383,8 @@ type PowerVSPlatformStatus struct { // serviceEndpoints is a list of custom endpoints which will override the default // service endpoints of a Power VS service. + // +listType=map + // +listMapKey=name // +optional ServiceEndpoints []PowerVSServiceEndpoint `json:"serviceEndpoints,omitempty"` @@ -1715,6 +1595,7 @@ type NutanixPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set APIServerInternalIPs []string `json:"apiServerInternalIPs"` // ingressIP is an external IP which routes to the default ingress controller. @@ -1730,6 +1611,7 @@ type NutanixPlatformStatus struct { // // +kubebuilder:validation:Format=ip // +kubebuilder:validation:MaxItems=2 + // +listType=set IngressIPs []string `json:"ingressIPs"` // loadBalancer defines how the load balancer used by the cluster is configured. @@ -1755,19 +1637,3 @@ type InfrastructureList struct { Items []Infrastructure `json:"items"` } - -// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). -// +kubebuilder:validation:Pattern=`(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)` -// + --- -// + The regex for the IPv4 and IPv6 CIDR range was taken from -// + https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/ -// + The resulting regex is an OR of both regexes. -type CIDR string - -// IP is an IP address (for example, "10.0.0.0" or "fd00::"). -// +kubebuilder:validation:Pattern=`(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*)` -// + --- -// + The regex for the IPv4 and IPv6 address was taken from -// + https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/ -// + The resulting regex is an OR of both regexes. -type IP string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 587f5db7a..476602ade 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -453,7 +453,7 @@ func (in *Authentication) DeepCopyInto(out *Authentication) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -546,6 +546,13 @@ func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec { func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) { *out = *in out.IntegratedOAuthMetadata = in.IntegratedOAuthMetadata + if in.OIDCClients != nil { + in, out := &in.OIDCClients, &out.OIDCClients + *out = make([]OIDCClientStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -631,21 +638,6 @@ func (in *BareMetalPlatformLoadBalancer) DeepCopy() *BareMetalPlatformLoadBalanc // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BareMetalPlatformSpec) DeepCopyInto(out *BareMetalPlatformSpec) { *out = *in - if in.APIServerInternalIPs != nil { - in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.IngressIPs != nil { - in, out := &in.IngressIPs, &out.IngressIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } @@ -677,11 +669,6 @@ func (in *BareMetalPlatformStatus) DeepCopyInto(out *BareMetalPlatformStatus) { *out = new(BareMetalPlatformLoadBalancer) **out = **in } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } @@ -1204,6 +1191,11 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) { *out = new(ClusterVersionCapabilitiesSpec) (*in).DeepCopyInto(*out) } + if in.SignatureStores != nil { + in, out := &in.SignatureStores, &out.SignatureStores + *out = make([]SignatureStore, len(*in)) + copy(*out, *in) + } if in.Overrides != nil { in, out := &in.Overrides, &out.Overrides *out = make([]ComponentOverride, len(*in)) @@ -4043,10 +4035,88 @@ func (in *OAuthTemplates) DeepCopy() *OAuthTemplates { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientConfig) DeepCopyInto(out *OIDCClientConfig) { + *out = *in + out.ClientSecret = in.ClientSecret + if in.ExtraScopes != nil { + in, out := &in.ExtraScopes, &out.ExtraScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientConfig. +func (in *OIDCClientConfig) DeepCopy() *OIDCClientConfig { + if in == nil { + return nil + } + out := new(OIDCClientConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientReference) DeepCopyInto(out *OIDCClientReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientReference. +func (in *OIDCClientReference) DeepCopy() *OIDCClientReference { + if in == nil { + return nil + } + out := new(OIDCClientReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + if in.CurrentOIDCClients != nil { + in, out := &in.CurrentOIDCClients, &out.CurrentOIDCClients + *out = make([]OIDCClientReference, len(*in)) + copy(*out, *in) + } + if in.ConsumingUsers != nil { + in, out := &in.ConsumingUsers, &out.ConsumingUsers + *out = make([]ConsumingUser, len(*in)) + copy(*out, *in) + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = *in in.Issuer.DeepCopyInto(&out.Issuer) + if in.OIDCClients != nil { + in, out := &in.OIDCClients, &out.OIDCClients + *out = make([]OIDCClientConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } in.ClaimMappings.DeepCopyInto(&out.ClaimMappings) if in.ClaimValidationRules != nil { in, out := &in.ClaimValidationRules, &out.ClaimValidationRules @@ -4186,21 +4256,6 @@ func (in *OpenStackPlatformLoadBalancer) DeepCopy() *OpenStackPlatformLoadBalanc // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OpenStackPlatformSpec) DeepCopyInto(out *OpenStackPlatformSpec) { *out = *in - if in.APIServerInternalIPs != nil { - in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.IngressIPs != nil { - in, out := &in.IngressIPs, &out.IngressIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } @@ -4232,11 +4287,6 @@ func (in *OpenStackPlatformStatus) DeepCopyInto(out *OpenStackPlatformStatus) { *out = new(OpenStackPlatformLoadBalancer) **out = **in } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } @@ -4453,12 +4503,12 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.BareMetal != nil { in, out := &in.BareMetal, &out.BareMetal *out = new(BareMetalPlatformSpec) - (*in).DeepCopyInto(*out) + **out = **in } if in.OpenStack != nil { in, out := &in.OpenStack, &out.OpenStack *out = new(OpenStackPlatformSpec) - (*in).DeepCopyInto(*out) + **out = **in } if in.Ovirt != nil { in, out := &in.Ovirt, &out.Ovirt @@ -5207,6 +5257,23 @@ func (in *ServingInfo) DeepCopy() *ServingInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SignatureStore) DeepCopyInto(out *SignatureStore) { + *out = *in + out.CA = in.CA + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SignatureStore. +func (in *SignatureStore) DeepCopy() *SignatureStore { + if in == nil { + return nil + } + out := new(SignatureStore) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringSource) DeepCopyInto(out *StringSource) { *out = *in @@ -5597,21 +5664,6 @@ func (in *VSpherePlatformSpec) DeepCopyInto(out *VSpherePlatformSpec) { } } in.NodeNetworking.DeepCopyInto(&out.NodeNetworking) - if in.APIServerInternalIPs != nil { - in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.IngressIPs != nil { - in, out := &in.IngressIPs, &out.IngressIPs - *out = make([]IP, len(*in)) - copy(*out, *in) - } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } @@ -5643,11 +5695,6 @@ func (in *VSpherePlatformStatus) DeepCopyInto(out *VSpherePlatformStatus) { *out = new(VSpherePlatformLoadBalancer) **out = **in } - if in.MachineNetworks != nil { - in, out := &in.MachineNetworks, &out.MachineNetworks - *out = make([]CIDR, len(*in)) - copy(*out, *in) - } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 04336721f..3ea0a78cf 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -378,6 +378,7 @@ func (AuthenticationSpec) SwaggerDoc() map[string]string { var map_AuthenticationStatus = map[string]string{ "integratedOAuthMetadata": "integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for the in-cluster integrated OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This contains the observed value based on cluster state. An explicitly set value in spec.oauthMetadata has precedence over this field. This field has no meaning if authentication spec.type is not set to IntegratedOAuth. The key \"oauthMetadata\" is used to locate the data. If the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config-managed.", + "oidcClients": "OIDCClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin.", } func (AuthenticationStatus) SwaggerDoc() map[string]string { @@ -393,9 +394,44 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_OIDCClientConfig = map[string]string{ + "componentName": "ComponentName is the name of the component that is supposed to consume this client configuration", + "componentNamespace": "ComponentNamespace is the namespace of the component that is supposed to consume this client configuration", + "clientID": "ClientID is the identifier of the OIDC client from the OIDC provider", + "clientSecret": "ClientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", + "extraScopes": "ExtraScopes is an optional set of scopes to request tokens with.", +} + +func (OIDCClientConfig) SwaggerDoc() map[string]string { + return map_OIDCClientConfig +} + +var map_OIDCClientReference = map[string]string{ + "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", + "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", + "clientID": "ClientID is the identifier of the OIDC client from the OIDC provider", +} + +func (OIDCClientReference) SwaggerDoc() map[string]string { + return map_OIDCClientReference +} + +var map_OIDCClientStatus = map[string]string{ + "componentName": "ComponentName is the name of the component that will consume a client configuration.", + "componentNamespace": "ComponentNamespace is the namespace of the component that will consume a client configuration.", + "currentOIDCClients": "CurrentOIDCClients is a list of clients that the component is currently using.", + "consumingUsers": "ConsumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "conditions": "Conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", +} + +func (OIDCClientStatus) SwaggerDoc() map[string]string { + return map_OIDCClientStatus +} + var map_OIDCProvider = map[string]string{ "name": "Name of the OIDC provider", "issuer": "Issuer describes atributes of the OIDC token issuer", + "oidcClients": "OIDCClients contains configuration for the platform's clients that need to request tokens from the issuer", "claimMappings": "ClaimMappings describes rules on how to transform information from an ID token into a cluster identity", "claimValidationRules": "ClaimValidationRules are rules that are applied to validate token claims to authenticate users.", } @@ -660,13 +696,14 @@ func (ClusterVersionList) SwaggerDoc() map[string]string { } var map_ClusterVersionSpec = map[string]string{ - "": "ClusterVersionSpec is the desired version state of the cluster. It includes the version the cluster should be at, how the cluster is identified, and where the cluster should look for version updates.", - "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", - "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", - "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", - "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", - "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", - "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", + "": "ClusterVersionSpec is the desired version state of the cluster. It includes the version the cluster should be at, how the cluster is identified, and where the cluster should look for version updates.", + "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", + "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", + "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", + "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", + "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", + "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", } func (ClusterVersionSpec) SwaggerDoc() map[string]string { @@ -746,6 +783,16 @@ func (Release) SwaggerDoc() map[string]string { return map_Release } +var map_SignatureStore = map[string]string{ + "": "SignatureStore represents the URL of custom Signature Store", + "url": "url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.", + "ca": "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.", +} + +func (SignatureStore) SwaggerDoc() map[string]string { + return map_SignatureStore +} + var map_Update = map[string]string{ "": "Update represents an administrator update request.", "architecture": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", @@ -1235,10 +1282,7 @@ func (BareMetalPlatformLoadBalancer) SwaggerDoc() map[string]string { } var map_BareMetalPlatformSpec = map[string]string{ - "": "BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider. This only includes fields that can be modified in the cluster.", - "apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".", + "": "BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider. This only includes fields that can be modified in the cluster.", } func (BareMetalPlatformSpec) SwaggerDoc() map[string]string { @@ -1253,7 +1297,6 @@ var map_BareMetalPlatformStatus = map[string]string{ "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.", "nodeDNSIP": "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for BareMetal deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.", "loadBalancer": "loadBalancer defines how the load balancer used by the cluster is configured.", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.", } func (BareMetalPlatformStatus) SwaggerDoc() map[string]string { @@ -1529,10 +1572,7 @@ func (OpenStackPlatformLoadBalancer) SwaggerDoc() map[string]string { } var map_OpenStackPlatformSpec = map[string]string{ - "": "OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider. This only includes fields that can be modified in the cluster.", - "apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".", + "": "OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider. This only includes fields that can be modified in the cluster.", } func (OpenStackPlatformSpec) SwaggerDoc() map[string]string { @@ -1548,7 +1588,6 @@ var map_OpenStackPlatformStatus = map[string]string{ "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.", "nodeDNSIP": "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for OpenStack deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.", "loadBalancer": "loadBalancer defines how the load balancer used by the cluster is configured.", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.", } func (OpenStackPlatformStatus) SwaggerDoc() map[string]string { @@ -1709,13 +1748,10 @@ func (VSpherePlatformNodeNetworkingSpec) SwaggerDoc() map[string]string { } var map_VSpherePlatformSpec = map[string]string{ - "": "VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider. In the future the cloud provider operator, storage operator and machine operator will use these fields for configuration.", - "vcenters": "vcenters holds the connection details for services to communicate with vCenter. Currently, only a single vCenter is supported.", - "failureDomains": "failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used.", - "nodeNetworking": "nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found.", - "apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".", + "": "VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider. In the future the cloud provider operator, storage operator and machine operator will use these fields for configuration.", + "vcenters": "vcenters holds the connection details for services to communicate with vCenter. Currently, only a single vCenter is supported.", + "failureDomains": "failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used.", + "nodeNetworking": "nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found.", } func (VSpherePlatformSpec) SwaggerDoc() map[string]string { @@ -1730,7 +1766,6 @@ var map_VSpherePlatformStatus = map[string]string{ "ingressIPs": "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.", "nodeDNSIP": "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for vSphere deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.", "loadBalancer": "loadBalancer defines how the load balancer used by the cluster is configured.", - "machineNetworks": "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.", } func (VSpherePlatformStatus) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..c12c81f8c --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-CustomNoUpgrade.crd.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + type: object + required: + - policy + - scopes + properties: + policy: + description: policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated. + type: object + required: + - rootOfTrust + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + type: object + required: + - policyType + properties: + fulcioCAWithRekor: + description: 'fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor' + type: object + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + properties: + fulcioCAData: + description: fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. + type: string + maxLength: 8192 + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. + type: object + required: + - oidcIssuer + - signedEmail + properties: + oidcIssuer: + description: 'oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: "https://expected.OIDC.issuer/"' + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: oidcIssuer must be a valid URL + signedEmail: + description: 'signedEmail holds the email address the the Fulcio certificate is issued for. Example: "expected-signing-user@example.com"' + type: string + x-kubernetes-validations: + - rule: self.matches('^\\S+@\\S+$') + message: invalid email address + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + policyType: + description: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + type: string + enum: + - PublicKey + - FulcioCAWithRekor + publicKey: + description: publicKey defines the root of trust based on a sigstore public key. + type: object + required: + - keyData + properties: + keyData: + description: keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters. + type: string + maxLength: 8192 + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + x-kubernetes-validations: + - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' ? has(self.publicKey) : !has(self.publicKey)' + message: publicKey is required when policyType is PublicKey, and forbidden otherwise + - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + signedIdentity: + description: signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + type: object + required: + - matchPolicy + properties: + exactRepository: + description: exactRepository is required if matchPolicy is set to "ExactRepository". + type: object + required: + - repository + properties: + repository: + description: repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + matchPolicy: + description: matchPolicy sets the type of matching to be used. Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + type: string + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + remapIdentity: + description: remapIdentity is required if matchPolicy is set to "RemapIdentity". + type: object + required: + - prefix + - signedPrefix + properties: + prefix: + description: prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + signedPrefix: + description: signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + x-kubernetes-validations: + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') ? has(self.exactRepository) : !has(self.exactRepository)' + message: exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') ? has(self.remapIdentity) : !has(self.remapIdentity)' + message: remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise + scopes: + description: 'scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' + type: array + maxItems: 256 + items: + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] == ''localhost'' : true' + message: invalid image scope format, scope must contain a fully qualified domain name or 'localhost' + - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') : true' + message: invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching + - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') : true' + message: invalid repository namespace or image specification in the image scope + x-kubernetes-list-type: set + status: + description: status contains the observed state of the resource. + type: object + properties: + conditions: + description: conditions provide details on the status of this API Resource. + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..69b69e764 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + type: object + required: + - policy + - scopes + properties: + policy: + description: policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated. + type: object + required: + - rootOfTrust + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + type: object + required: + - policyType + properties: + fulcioCAWithRekor: + description: 'fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor' + type: object + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + properties: + fulcioCAData: + description: fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. + type: string + maxLength: 8192 + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. + type: object + required: + - oidcIssuer + - signedEmail + properties: + oidcIssuer: + description: 'oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: "https://expected.OIDC.issuer/"' + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: oidcIssuer must be a valid URL + signedEmail: + description: 'signedEmail holds the email address the the Fulcio certificate is issued for. Example: "expected-signing-user@example.com"' + type: string + x-kubernetes-validations: + - rule: self.matches('^\\S+@\\S+$') + message: invalid email address + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + policyType: + description: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + type: string + enum: + - PublicKey + - FulcioCAWithRekor + publicKey: + description: publicKey defines the root of trust based on a sigstore public key. + type: object + required: + - keyData + properties: + keyData: + description: keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters. + type: string + maxLength: 8192 + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + x-kubernetes-validations: + - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' ? has(self.publicKey) : !has(self.publicKey)' + message: publicKey is required when policyType is PublicKey, and forbidden otherwise + - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + signedIdentity: + description: signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + type: object + required: + - matchPolicy + properties: + exactRepository: + description: exactRepository is required if matchPolicy is set to "ExactRepository". + type: object + required: + - repository + properties: + repository: + description: repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + matchPolicy: + description: matchPolicy sets the type of matching to be used. Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + type: string + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + remapIdentity: + description: remapIdentity is required if matchPolicy is set to "RemapIdentity". + type: object + required: + - prefix + - signedPrefix + properties: + prefix: + description: prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + signedPrefix: + description: signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + x-kubernetes-validations: + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') ? has(self.exactRepository) : !has(self.exactRepository)' + message: exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') ? has(self.remapIdentity) : !has(self.remapIdentity)' + message: remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise + scopes: + description: 'scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' + type: array + maxItems: 256 + items: + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] == ''localhost'' : true' + message: invalid image scope format, scope must contain a fully qualified domain name or 'localhost' + - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') : true' + message: invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching + - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') : true' + message: invalid repository namespace or image specification in the image scope + x-kubernetes-list-type: set + status: + description: status contains the observed state of the resource. + type: object + properties: + conditions: + description: conditions provide details on the status of this API Resource. + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..afc22036c --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-CustomNoUpgrade.crd.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: "ImagePolicy holds namespace-wide configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + type: object + required: + - policy + - scopes + properties: + policy: + description: policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated. + type: object + required: + - rootOfTrust + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + type: object + required: + - policyType + properties: + fulcioCAWithRekor: + description: 'fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor' + type: object + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + properties: + fulcioCAData: + description: fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. + type: string + maxLength: 8192 + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. + type: object + required: + - oidcIssuer + - signedEmail + properties: + oidcIssuer: + description: 'oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: "https://expected.OIDC.issuer/"' + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: oidcIssuer must be a valid URL + signedEmail: + description: 'signedEmail holds the email address the the Fulcio certificate is issued for. Example: "expected-signing-user@example.com"' + type: string + x-kubernetes-validations: + - rule: self.matches('^\\S+@\\S+$') + message: invalid email address + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + policyType: + description: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + type: string + enum: + - PublicKey + - FulcioCAWithRekor + publicKey: + description: publicKey defines the root of trust based on a sigstore public key. + type: object + required: + - keyData + properties: + keyData: + description: keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters. + type: string + maxLength: 8192 + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + x-kubernetes-validations: + - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' ? has(self.publicKey) : !has(self.publicKey)' + message: publicKey is required when policyType is PublicKey, and forbidden otherwise + - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + signedIdentity: + description: signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + type: object + required: + - matchPolicy + properties: + exactRepository: + description: exactRepository is required if matchPolicy is set to "ExactRepository". + type: object + required: + - repository + properties: + repository: + description: repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + matchPolicy: + description: matchPolicy sets the type of matching to be used. Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + type: string + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + remapIdentity: + description: remapIdentity is required if matchPolicy is set to "RemapIdentity". + type: object + required: + - prefix + - signedPrefix + properties: + prefix: + description: prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + signedPrefix: + description: signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + x-kubernetes-validations: + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') ? has(self.exactRepository) : !has(self.exactRepository)' + message: exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') ? has(self.remapIdentity) : !has(self.remapIdentity)' + message: remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise + scopes: + description: 'scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' + type: array + maxItems: 256 + items: + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] == ''localhost'' : true' + message: invalid image scope format, scope must contain a fully qualified domain name or 'localhost' + - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') : true' + message: invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching + - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') : true' + message: invalid repository namespace or image specification in the image scope + x-kubernetes-list-type: set + status: + description: status contains the observed state of the resource. + type: object + properties: + conditions: + description: conditions provide details on the status of this API Resource. + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..d800072ba --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_imagepolicy-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: "ImagePolicy holds namespace-wide configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + type: object + required: + - policy + - scopes + properties: + policy: + description: policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated. + type: object + required: + - rootOfTrust + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + type: object + required: + - policyType + properties: + fulcioCAWithRekor: + description: 'fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor' + type: object + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + properties: + fulcioCAData: + description: fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. + type: string + maxLength: 8192 + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. + type: object + required: + - oidcIssuer + - signedEmail + properties: + oidcIssuer: + description: 'oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: "https://expected.OIDC.issuer/"' + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: oidcIssuer must be a valid URL + signedEmail: + description: 'signedEmail holds the email address the the Fulcio certificate is issued for. Example: "expected-signing-user@example.com"' + type: string + x-kubernetes-validations: + - rule: self.matches('^\\S+@\\S+$') + message: invalid email address + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + policyType: + description: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + type: string + enum: + - PublicKey + - FulcioCAWithRekor + publicKey: + description: publicKey defines the root of trust based on a sigstore public key. + type: object + required: + - keyData + properties: + keyData: + description: keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters. + type: string + maxLength: 8192 + rekorKeyData: + description: rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. + type: string + maxLength: 8192 + x-kubernetes-validations: + - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' ? has(self.publicKey) : !has(self.publicKey)' + message: publicKey is required when policyType is PublicKey, and forbidden otherwise + - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + signedIdentity: + description: signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + type: object + required: + - matchPolicy + properties: + exactRepository: + description: exactRepository is required if matchPolicy is set to "ExactRepository". + type: object + required: + - repository + properties: + repository: + description: repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + matchPolicy: + description: matchPolicy sets the type of matching to be used. Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + type: string + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + remapIdentity: + description: remapIdentity is required if matchPolicy is set to "RemapIdentity". + type: object + required: + - prefix + - signedPrefix + properties: + prefix: + description: prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + signedPrefix: + description: signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? self.matches(''^(localhost:[0-9]+)$''): true' + message: invalid repository or prefix in the signedIdentity, should not include the tag or digest + - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + message: invalid repository or prefix in the signedIdentity + x-kubernetes-validations: + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') ? has(self.exactRepository) : !has(self.exactRepository)' + message: exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise + - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') ? has(self.remapIdentity) : !has(self.remapIdentity)' + message: remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise + scopes: + description: 'scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' + type: array + maxItems: 256 + items: + type: string + maxLength: 512 + x-kubernetes-validations: + - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] == ''localhost'' : true' + message: invalid image scope format, scope must contain a fully qualified domain name or 'localhost' + - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') : true' + message: invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching + - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') : true' + message: invalid repository namespace or image specification in the image scope + x-kubernetes-list-type: set + status: + description: status contains the observed state of the resource. + type: object + properties: + conditions: + description: conditions provide details on the status of this API Resource. + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/custom.clusterimagepolicy.testsuite.yaml b/vendor/github.com/openshift/api/config/v1alpha1/custom.clusterimagepolicy.testsuite.yaml new file mode 100644 index 000000000..232bdf037 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/custom.clusterimagepolicy.testsuite.yaml @@ -0,0 +1,451 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[CustomNoUpgrade] ClusterImagePolicy" +crd: 0000_10_config-operator_01_clusterimagepolicy-CustomNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== diff --git a/vendor/github.com/openshift/api/config/v1alpha1/custom.imagepolicy.testsuite.yaml b/vendor/github.com/openshift/api/config/v1alpha1/custom.imagepolicy.testsuite.yaml new file mode 100644 index 000000000..05b1487fa --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/custom.imagepolicy.testsuite.yaml @@ -0,0 +1,451 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[CustomNoUpgrade] ImagePolicy" +crd: 0000_10_config-operator_01_imagepolicy-CustomNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== diff --git a/vendor/github.com/openshift/api/config/v1alpha1/techpreview.clusterimagepolicy.testsuite.yaml b/vendor/github.com/openshift/api/config/v1alpha1/techpreview.clusterimagepolicy.testsuite.yaml new file mode 100644 index 000000000..625310667 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/techpreview.clusterimagepolicy.testsuite.yaml @@ -0,0 +1,451 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreviewNoUpgrade] ClusterImagePolicy" +crd: 0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== diff --git a/vendor/github.com/openshift/api/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml b/vendor/github.com/openshift/api/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml new file mode 100644 index 000000000..b469d4c52 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml @@ -0,0 +1,451 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreviewNoUpgrade] ImagePolicy" +crd: 0000_10_config-operator_01_imagepolicy-TechPreviewNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: Zm9vIGJhcg== + rekorKeyData: Zm9vIGJhcg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go new file mode 100644 index 000000000..5c44e0e74 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -0,0 +1,71 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicy holds cluster-wide configuration for image signature verification +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type ClusterImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec contains the configuration for the cluster image policy. + // +kubebuilder:validation:Required + Spec ClusterImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ClusterImagePolicyStatus `json:"status,omitempty"` +} + +// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource. +type ClusterImagePolicySpec struct { + // scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. + // If configured, the policies for OpenShift Container Platform repositories will not be in effect. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +kubebuilder:validation:Required + Policy Policy `json:"policy"` +} + +// +k8s:deepcopy-gen=true +type ClusterImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicyList is a list of ClusterImagePolicy resources +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type ClusterImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + Items []ClusterImagePolicy `json:"items"` +} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go new file mode 100644 index 000000000..b93f17c5d --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -0,0 +1,230 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicy holds namespace-wide configuration for image signature verification +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type ImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec holds user settable values for configuration + // +kubebuilder:validation:Required + Spec ImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ImagePolicyStatus `json:"status,omitempty"` +} + +// ImagePolicySpec is the specification of the ImagePolicy CRD. +type ImagePolicySpec struct { + // scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. + // If configured, the policies for OpenShift Container Platform repositories will not be in effect. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +kubebuilder:validation:Required + Policy Policy `json:"policy"` +} + +// +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" +// +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" +// +kubebuilder:validation:XValidation:rule=`!self.contains('*') ? self.matches('^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$') : true`,message="invalid repository namespace or image specification in the image scope" +// +kubebuilder:validation:MaxLength=512 +type ImageScope string + +// Policy defines the verification policy for the items in the scopes list. +type Policy struct { + // rootOfTrust specifies the root of trust for the policy. + // +kubebuilder:validation:Required + RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` + // signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + // +optional + SignedIdentity PolicyIdentity `json:"signedIdentity,omitempty"` +} + +// PolicyRootOfTrust defines the root of trust based on the selected policyType. +// +union +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +type PolicyRootOfTrust struct { + // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. + // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + // +unionDiscriminator + // +kubebuilder:validation:Required + PolicyType PolicyType `json:"policyType"` + // publicKey defines the root of trust based on a sigstore public key. + // +optional + PublicKey *PublicKey `json:"publicKey,omitempty"` + // fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. + // For more information about Fulcio and Rekor, please refer to the document at: + // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + // +optional + FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` +} + +// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor +type PolicyType string + +const ( + PublicKeyRootOfTrust PolicyType = "PublicKey" + FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" +) + +// PublicKey defines the root of trust based on a sigstore public key. +type PublicKey struct { + // keyData contains inline base64-encoded data for the PEM format public key. + // KeyData must be at most 8192 characters. + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=8192 + KeyData string `json:"keyData"` + // rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +optional + // +kubebuilder:validation:MaxLength=8192 + RekorKeyData string `json:"rekorKeyData,omitempty"` +} + +// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. +type FulcioCAWithRekor struct { + // fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. + // fulcioCAData must be at most 8192 characters. + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=8192 + FulcioCAData string `json:"fulcioCAData"` + // rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=8192 + RekorKeyData string `json:"rekorKeyData"` + // fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. + // +kubebuilder:validation:Required + FulcioSubject PolicyFulcioSubject `json:"fulcioSubject,omitempty"` +} + +// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration. +type PolicyFulcioSubject struct { + // oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + // Example: "https://expected.OIDC.issuer/" + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="oidcIssuer must be a valid URL" + OIDCIssuer string `json:"oidcIssuer"` + // signedEmail holds the email address the the Fulcio certificate is issued for. + // Example: "expected-signing-user@example.com" + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" + SignedEmail string `json:"signedEmail"` +} + +// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" +// +union +type PolicyIdentity struct { + // matchPolicy sets the type of matching to be used. + // Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + // If set matchPolicy to ExactRepository, then the exactRepository must be specified. + // If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. + // "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + // "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + // "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". + // "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + // +unionDiscriminator + // +kubebuilder:validation:Required + MatchPolicy IdentityMatchPolicy `json:"matchPolicy"` + // exactRepository is required if matchPolicy is set to "ExactRepository". + // +optional + PolicyMatchExactRepository *PolicyMatchExactRepository `json:"exactRepository,omitempty"` + // remapIdentity is required if matchPolicy is set to "RemapIdentity". + // +optional + PolicyMatchRemapIdentity *PolicyMatchRemapIdentity `json:"remapIdentity,omitempty"` +} + +// +kubebuilder:validation:MaxLength=512 +// +kubebuilder:validation:XValidation:rule=`self.matches('.*:([\\w][\\w.-]{0,127})$')? self.matches('^(localhost:[0-9]+)$'): true`,message="invalid repository or prefix in the signedIdentity, should not include the tag or digest" +// +kubebuilder:validation:XValidation:rule=`self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$')`,message="invalid repository or prefix in the signedIdentity" +type IdentityRepositoryPrefix string + +type PolicyMatchExactRepository struct { + // repository is the reference of the image identity to be matched. + // The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + // +kubebuilder:validation:Required + Repository IdentityRepositoryPrefix `json:"repository"` +} + +type PolicyMatchRemapIdentity struct { + // prefix is the prefix of the image identity to be matched. + // If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + // This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + // The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +kubebuilder:validation:Required + Prefix IdentityRepositoryPrefix `json:"prefix"` + // signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +kubebuilder:validation:Required + SignedPrefix IdentityRepositoryPrefix `json:"signedPrefix"` +} + +// IdentityMatchPolicy defines the type of matching for "matchPolicy". +// +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity +type IdentityMatchPolicy string + +const ( + IdentityMatchPolicyMatchRepoDigestOrExact IdentityMatchPolicy = "MatchRepoDigestOrExact" + IdentityMatchPolicyMatchRepository IdentityMatchPolicy = "MatchRepository" + IdentityMatchPolicyExactRepository IdentityMatchPolicy = "ExactRepository" + IdentityMatchPolicyRemapIdentity IdentityMatchPolicy = "RemapIdentity" +) + +// +k8s:deepcopy-gen=true +type ImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicyList is a list of ImagePolicy resources +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type ImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + Items []ImagePolicy `json:"items"` +} + +const ( + // ImagePolicyPending indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + ImagePolicyPending = "Pending" + // ImagePolicyApplied indicates that the policy has been applied + ImagePolicyApplied = "Applied" +) diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 8cd8536f3..21b08cf33 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -6,6 +6,7 @@ package v1alpha1 import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -103,6 +104,112 @@ func (in *BackupStatus) DeepCopy() *BackupStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy. +func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy { + if in == nil { + return nil + } + out := new(ClusterImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList. +func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList { + if in == nil { + return nil + } + out := new(ClusterImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec. +func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec { + if in == nil { + return nil + } + out := new(ClusterImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus. +func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus { + if in == nil { + return nil + } + out := new(ClusterImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EtcdBackupSpec) DeepCopyInto(out *EtcdBackupSpec) { *out = *in @@ -120,6 +227,23 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { + *out = *in + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. +func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { + if in == nil { + return nil + } + out := new(FulcioCAWithRekor) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in @@ -141,6 +265,112 @@ func (in *GatherConfig) DeepCopy() *GatherConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. +func (in *ImagePolicy) DeepCopy() *ImagePolicy { + if in == nil { + return nil + } + out := new(ImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. +func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { + if in == nil { + return nil + } + out := new(ImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. +func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { + if in == nil { + return nil + } + out := new(ImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. +func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { + if in == nil { + return nil + } + out := new(ImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -235,6 +465,140 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject. +func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject { + if in == nil { + return nil + } + out := new(PolicyFulcioSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) { + *out = *in + if in.PolicyMatchExactRepository != nil { + in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository + *out = new(PolicyMatchExactRepository) + **out = **in + } + if in.PolicyMatchRemapIdentity != nil { + in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity + *out = new(PolicyMatchRemapIdentity) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity. +func (in *PolicyIdentity) DeepCopy() *PolicyIdentity { + if in == nil { + return nil + } + out := new(PolicyIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository. +func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository { + if in == nil { + return nil + } + out := new(PolicyMatchExactRepository) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity. +func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity { + if in == nil { + return nil + } + out := new(PolicyMatchRemapIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { + *out = *in + if in.PublicKey != nil { + in, out := &in.PublicKey, &out.PublicKey + *out = new(PublicKey) + **out = **in + } + if in.FulcioCAWithRekor != nil { + in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor + *out = new(FulcioCAWithRekor) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust. +func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { + if in == nil { + return nil + } + out := new(PolicyRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKey) DeepCopyInto(out *PublicKey) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. +func (in *PublicKey) DeepCopy() *PublicKey { + if in == nil { + return nil + } + out := new(PublicKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RetentionNumberConfig) DeepCopyInto(out *RetentionNumberConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 425c1ec51..efaac4fa2 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -80,6 +80,162 @@ func (RetentionSizeConfig) SwaggerDoc() map[string]string { return map_RetentionSizeConfig } +var map_ClusterImagePolicy = map[string]string{ + "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the configuration for the cluster image policy.", + "status": "status contains the observed state of the resource.", +} + +func (ClusterImagePolicy) SwaggerDoc() map[string]string { + return map_ClusterImagePolicy +} + +var map_ClusterImagePolicyList = map[string]string{ + "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", +} + +func (ClusterImagePolicyList) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyList +} + +var map_ClusterImagePolicySpec = map[string]string{ + "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { + return map_ClusterImagePolicySpec +} + +var map_ClusterImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyStatus +} + +var map_FulcioCAWithRekor = map[string]string{ + "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (FulcioCAWithRekor) SwaggerDoc() map[string]string { + return map_FulcioCAWithRekor +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", + "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + +var map_PolicyFulcioSubject = map[string]string{ + "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "signedEmail": "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"", +} + +func (PolicyFulcioSubject) SwaggerDoc() map[string]string { + return map_PolicyFulcioSubject +} + +var map_PolicyIdentity = map[string]string{ + "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "matchPolicy": "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "exactRepository": "exactRepository is required if matchPolicy is set to \"ExactRepository\".", + "remapIdentity": "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".", +} + +func (PolicyIdentity) SwaggerDoc() map[string]string { + return map_PolicyIdentity +} + +var map_PolicyMatchExactRepository = map[string]string{ + "repository": "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", +} + +func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { + return map_PolicyMatchExactRepository +} + +var map_PolicyMatchRemapIdentity = map[string]string{ + "prefix": "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "signedPrefix": "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", +} + +func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { + return map_PolicyMatchRemapIdentity +} + +var map_PolicyRootOfTrust = map[string]string{ + "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + "publicKey": "publicKey defines the root of trust based on a sigstore public key.", + "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", +} + +func (PolicyRootOfTrust) SwaggerDoc() map[string]string { + return map_PolicyRootOfTrust +} + +var map_PublicKey = map[string]string{ + "": "PublicKey defines the root of trust based on a sigstore public key.", + "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", +} + +func (PublicKey) SwaggerDoc() map[string]string { + return map_PublicKey +} + var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is None.", diff --git a/vendor/github.com/openshift/api/console/v1/90_consoleplugin.crd.yaml b/vendor/github.com/openshift/api/console/v1/90_consoleplugin.crd.yaml index 5734ebe0b..641d0d3e1 100644 --- a/vendor/github.com/openshift/api/console/v1/90_consoleplugin.crd.yaml +++ b/vendor/github.com/openshift/api/console/v1/90_consoleplugin.crd.yaml @@ -179,7 +179,7 @@ spec: enum: - Service served: true - storage: false + storage: true - name: v1alpha1 schema: openAPIV3Schema: @@ -291,4 +291,4 @@ spec: maximum: 65535 minimum: 1 served: true - storage: true + storage: false diff --git a/vendor/github.com/openshift/api/console/v1alpha1/90_consoleplugin.crd.yaml b/vendor/github.com/openshift/api/console/v1alpha1/90_consoleplugin.crd.yaml index 52034c96d..d6c5fa33d 100644 --- a/vendor/github.com/openshift/api/console/v1alpha1/90_consoleplugin.crd.yaml +++ b/vendor/github.com/openshift/api/console/v1alpha1/90_consoleplugin.crd.yaml @@ -179,7 +179,7 @@ spec: enum: - Service served: true - storage: false + storage: true - name: v1alpha1 schema: openAPIV3Schema: @@ -291,4 +291,4 @@ spec: maximum: 65535 minimum: 1 served: true - storage: true + storage: false diff --git a/vendor/github.com/openshift/api/operator/v1/0000_40_cloud-credential-operator_00_config.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_40_cloud-credential-operator_00_config.crd.yaml index bce7c8c7e..7b0220d43 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_40_cloud-credential-operator_00_config.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_40_cloud-credential-operator_00_config.crd.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + capability.openshift.io/name: CloudCredential api-approved.openshift.io: https://github.com/openshift/api/pull/692 include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" diff --git a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-CustomNoUpgrade.crd.yaml index 499b89e7b..4938ac279 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-CustomNoUpgrade.crd.yaml @@ -139,43 +139,6 @@ spec: description: defaultNetwork is the "default" network that all pods will receive type: object properties: - kuryrConfig: - description: KuryrConfig configures the kuryr plugin - type: object - properties: - controllerProbesPort: - description: The port kuryr-controller will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - daemonProbesPort: - description: The port kuryr-daemon will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - enablePortPoolsPrepopulation: - description: enablePortPoolsPrepopulation when true will make Kuryr prepopulate each newly created port pool with a minimum number of ports. Kuryr uses Neutron port pooling to fight the fact that it takes a significant amount of time to create one. It creates a number of ports when the first pod that is configured to use the dedicated network for pods is created in a namespace, and keeps them ready to be attached to pods. Port prepopulation is disabled by default. - type: boolean - mtu: - description: mtu is the MTU that Kuryr should use when creating pod networks in Neutron. The value has to be lower or equal to the MTU of the nodes network and Neutron has to allow creation of tenant networks with such MTU. If unset Pod networks will be created with the same MTU as the nodes network has. This also affects the services network created by cluster-network-operator. - type: integer - format: int32 - minimum: 0 - openStackServiceNetwork: - description: openStackServiceNetwork contains the CIDR of network from which to allocate IPs for OpenStack Octavia's Amphora VMs. Please note that with Amphora driver Octavia uses two IPs from that network for each loadbalancer - one given by OpenShift and second for VRRP connections. As the first one is managed by OpenShift's and second by Neutron's IPAMs, those need to come from different pools. Therefore `openStackServiceNetwork` needs to be at least twice the size of `serviceNetwork`, and whole `serviceNetwork` must be overlapping with `openStackServiceNetwork`. cluster-network-operator will then make sure VRRP IPs are taken from the ranges inside `openStackServiceNetwork` that are not overlapping with `serviceNetwork`, effectivly preventing conflicts. If not set cluster-network-operator will use `serviceNetwork` expanded by decrementing the prefix size by 1. - type: string - poolBatchPorts: - description: poolBatchPorts sets a number of ports that should be created in a single batch request to extend the port pool. The default is 3. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMaxPorts: - description: poolMaxPorts sets a maximum number of free ports that are being kept in a port pool. If the number of ports exceeds this setting, free ports will get deleted. Setting 0 will disable this upper bound, effectively preventing pools from shrinking and this is the default value. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMinPorts: - description: poolMinPorts sets a minimum number of free ports that should be kept in a port pool. If the number of ports is lower than this setting, new ports will get created and added to pool. The default is 1. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 1 openshiftSDNConfig: description: openShiftSDNConfig configures the openshift-sdn plugin type: object diff --git a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-Default.crd.yaml index 2ffe3fde9..83849f24b 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-Default.crd.yaml @@ -139,43 +139,6 @@ spec: description: defaultNetwork is the "default" network that all pods will receive type: object properties: - kuryrConfig: - description: KuryrConfig configures the kuryr plugin - type: object - properties: - controllerProbesPort: - description: The port kuryr-controller will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - daemonProbesPort: - description: The port kuryr-daemon will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - enablePortPoolsPrepopulation: - description: enablePortPoolsPrepopulation when true will make Kuryr prepopulate each newly created port pool with a minimum number of ports. Kuryr uses Neutron port pooling to fight the fact that it takes a significant amount of time to create one. It creates a number of ports when the first pod that is configured to use the dedicated network for pods is created in a namespace, and keeps them ready to be attached to pods. Port prepopulation is disabled by default. - type: boolean - mtu: - description: mtu is the MTU that Kuryr should use when creating pod networks in Neutron. The value has to be lower or equal to the MTU of the nodes network and Neutron has to allow creation of tenant networks with such MTU. If unset Pod networks will be created with the same MTU as the nodes network has. This also affects the services network created by cluster-network-operator. - type: integer - format: int32 - minimum: 0 - openStackServiceNetwork: - description: openStackServiceNetwork contains the CIDR of network from which to allocate IPs for OpenStack Octavia's Amphora VMs. Please note that with Amphora driver Octavia uses two IPs from that network for each loadbalancer - one given by OpenShift and second for VRRP connections. As the first one is managed by OpenShift's and second by Neutron's IPAMs, those need to come from different pools. Therefore `openStackServiceNetwork` needs to be at least twice the size of `serviceNetwork`, and whole `serviceNetwork` must be overlapping with `openStackServiceNetwork`. cluster-network-operator will then make sure VRRP IPs are taken from the ranges inside `openStackServiceNetwork` that are not overlapping with `serviceNetwork`, effectivly preventing conflicts. If not set cluster-network-operator will use `serviceNetwork` expanded by decrementing the prefix size by 1. - type: string - poolBatchPorts: - description: poolBatchPorts sets a number of ports that should be created in a single batch request to extend the port pool. The default is 3. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMaxPorts: - description: poolMaxPorts sets a maximum number of free ports that are being kept in a port pool. If the number of ports exceeds this setting, free ports will get deleted. Setting 0 will disable this upper bound, effectively preventing pools from shrinking and this is the default value. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMinPorts: - description: poolMinPorts sets a minimum number of free ports that should be kept in a port pool. If the number of ports is lower than this setting, new ports will get created and added to pool. The default is 1. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 1 openshiftSDNConfig: description: openShiftSDNConfig configures the openshift-sdn plugin type: object diff --git a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-TechPreviewNoUpgrade.crd.yaml index 35c40be05..294b5c945 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01-TechPreviewNoUpgrade.crd.yaml @@ -139,43 +139,6 @@ spec: description: defaultNetwork is the "default" network that all pods will receive type: object properties: - kuryrConfig: - description: KuryrConfig configures the kuryr plugin - type: object - properties: - controllerProbesPort: - description: The port kuryr-controller will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - daemonProbesPort: - description: The port kuryr-daemon will listen for readiness and liveness requests. - type: integer - format: int32 - minimum: 0 - enablePortPoolsPrepopulation: - description: enablePortPoolsPrepopulation when true will make Kuryr prepopulate each newly created port pool with a minimum number of ports. Kuryr uses Neutron port pooling to fight the fact that it takes a significant amount of time to create one. It creates a number of ports when the first pod that is configured to use the dedicated network for pods is created in a namespace, and keeps them ready to be attached to pods. Port prepopulation is disabled by default. - type: boolean - mtu: - description: mtu is the MTU that Kuryr should use when creating pod networks in Neutron. The value has to be lower or equal to the MTU of the nodes network and Neutron has to allow creation of tenant networks with such MTU. If unset Pod networks will be created with the same MTU as the nodes network has. This also affects the services network created by cluster-network-operator. - type: integer - format: int32 - minimum: 0 - openStackServiceNetwork: - description: openStackServiceNetwork contains the CIDR of network from which to allocate IPs for OpenStack Octavia's Amphora VMs. Please note that with Amphora driver Octavia uses two IPs from that network for each loadbalancer - one given by OpenShift and second for VRRP connections. As the first one is managed by OpenShift's and second by Neutron's IPAMs, those need to come from different pools. Therefore `openStackServiceNetwork` needs to be at least twice the size of `serviceNetwork`, and whole `serviceNetwork` must be overlapping with `openStackServiceNetwork`. cluster-network-operator will then make sure VRRP IPs are taken from the ranges inside `openStackServiceNetwork` that are not overlapping with `serviceNetwork`, effectivly preventing conflicts. If not set cluster-network-operator will use `serviceNetwork` expanded by decrementing the prefix size by 1. - type: string - poolBatchPorts: - description: poolBatchPorts sets a number of ports that should be created in a single batch request to extend the port pool. The default is 3. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMaxPorts: - description: poolMaxPorts sets a maximum number of free ports that are being kept in a port pool. If the number of ports exceeds this setting, free ports will get deleted. Setting 0 will disable this upper bound, effectively preventing pools from shrinking and this is the default value. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 0 - poolMinPorts: - description: poolMinPorts sets a minimum number of free ports that should be kept in a port pool. If the number of ports is lower than this setting, new ports will get created and added to pool. The default is 1. For more information about port pools see enablePortPoolsPrepopulation setting. - type: integer - minimum: 1 openshiftSDNConfig: description: openShiftSDNConfig configures the openshift-sdn plugin type: object diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go index 573442013..cec3b6318 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_network.go +++ b/vendor/github.com/openshift/api/operator/v1/types_network.go @@ -235,10 +235,6 @@ type DefaultNetworkDefinition struct { // ovnKubernetesConfig configures the ovn-kubernetes plugin. // +optional OVNKubernetesConfig *OVNKubernetesConfig `json:"ovnKubernetesConfig,omitempty"` - - // KuryrConfig configures the kuryr plugin - // +optional - KuryrConfig *KuryrConfig `json:"kuryrConfig,omitempty"` } // SimpleMacvlanConfig contains configurations for macvlan interface. @@ -373,74 +369,6 @@ type OpenShiftSDNConfig struct { EnableUnidling *bool `json:"enableUnidling,omitempty"` } -// KuryrConfig configures the Kuryr-Kubernetes SDN -type KuryrConfig struct { - // The port kuryr-daemon will listen for readiness and liveness requests. - // +kubebuilder:validation:Minimum=0 - // +optional - DaemonProbesPort *uint32 `json:"daemonProbesPort,omitempty"` - - // The port kuryr-controller will listen for readiness and liveness requests. - // +kubebuilder:validation:Minimum=0 - // +optional - ControllerProbesPort *uint32 `json:"controllerProbesPort,omitempty"` - - // openStackServiceNetwork contains the CIDR of network from which to allocate IPs for - // OpenStack Octavia's Amphora VMs. Please note that with Amphora driver Octavia uses - // two IPs from that network for each loadbalancer - one given by OpenShift and second - // for VRRP connections. As the first one is managed by OpenShift's and second by Neutron's - // IPAMs, those need to come from different pools. Therefore `openStackServiceNetwork` - // needs to be at least twice the size of `serviceNetwork`, and whole `serviceNetwork` - // must be overlapping with `openStackServiceNetwork`. cluster-network-operator will then - // make sure VRRP IPs are taken from the ranges inside `openStackServiceNetwork` that - // are not overlapping with `serviceNetwork`, effectivly preventing conflicts. If not set - // cluster-network-operator will use `serviceNetwork` expanded by decrementing the prefix - // size by 1. - // +optional - OpenStackServiceNetwork string `json:"openStackServiceNetwork,omitempty"` - - // enablePortPoolsPrepopulation when true will make Kuryr prepopulate each newly created port - // pool with a minimum number of ports. Kuryr uses Neutron port pooling to fight the fact - // that it takes a significant amount of time to create one. It creates a number of ports when - // the first pod that is configured to use the dedicated network for pods is created in a namespace, - // and keeps them ready to be attached to pods. Port prepopulation is disabled by default. - // +optional - EnablePortPoolsPrepopulation bool `json:"enablePortPoolsPrepopulation,omitempty"` - - // poolMaxPorts sets a maximum number of free ports that are being kept in a port pool. - // If the number of ports exceeds this setting, free ports will get deleted. Setting 0 - // will disable this upper bound, effectively preventing pools from shrinking and this - // is the default value. For more information about port pools see - // enablePortPoolsPrepopulation setting. - // +kubebuilder:validation:Minimum=0 - // +optional - PoolMaxPorts uint `json:"poolMaxPorts,omitempty"` - - // poolMinPorts sets a minimum number of free ports that should be kept in a port pool. - // If the number of ports is lower than this setting, new ports will get created and - // added to pool. The default is 1. For more information about port pools see - // enablePortPoolsPrepopulation setting. - // +kubebuilder:validation:Minimum=1 - // +optional - PoolMinPorts uint `json:"poolMinPorts,omitempty"` - - // poolBatchPorts sets a number of ports that should be created in a single batch request - // to extend the port pool. The default is 3. For more information about port pools see - // enablePortPoolsPrepopulation setting. - // +kubebuilder:validation:Minimum=0 - // +optional - PoolBatchPorts *uint `json:"poolBatchPorts,omitempty"` - - // mtu is the MTU that Kuryr should use when creating pod networks in Neutron. - // The value has to be lower or equal to the MTU of the nodes network and Neutron has - // to allow creation of tenant networks with such MTU. If unset Pod networks will be - // created with the same MTU as the nodes network has. This also affects the services - // network created by cluster-network-operator. - // +kubebuilder:validation:Minimum=0 - // +optional - MTU *uint32 `json:"mtu,omitempty"` -} - // ovnKubernetesConfig contains the configuration parameters for networks // using the ovn-kubernetes network project type OVNKubernetesConfig struct { @@ -715,9 +643,6 @@ const ( // This is currently not implemented. NetworkTypeOVNKubernetes NetworkType = "OVNKubernetes" - // NetworkTypeKuryr means the kuryr-kubernetes project will be configured. - NetworkTypeKuryr NetworkType = "Kuryr" - // NetworkTypeRaw NetworkTypeRaw NetworkType = "Raw" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 290dd2f3a..7823bb40c 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -1140,11 +1140,6 @@ func (in *DefaultNetworkDefinition) DeepCopyInto(out *DefaultNetworkDefinition) *out = new(OVNKubernetesConfig) (*in).DeepCopyInto(*out) } - if in.KuryrConfig != nil { - in, out := &in.KuryrConfig, &out.KuryrConfig - *out = new(KuryrConfig) - (*in).DeepCopyInto(*out) - } return } @@ -2771,42 +2766,6 @@ func (in *KubeStorageVersionMigratorStatus) DeepCopy() *KubeStorageVersionMigrat return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KuryrConfig) DeepCopyInto(out *KuryrConfig) { - *out = *in - if in.DaemonProbesPort != nil { - in, out := &in.DaemonProbesPort, &out.DaemonProbesPort - *out = new(uint32) - **out = **in - } - if in.ControllerProbesPort != nil { - in, out := &in.ControllerProbesPort, &out.ControllerProbesPort - *out = new(uint32) - **out = **in - } - if in.PoolBatchPorts != nil { - in, out := &in.PoolBatchPorts, &out.PoolBatchPorts - *out = new(uint) - **out = **in - } - if in.MTU != nil { - in, out := &in.MTU, &out.MTU - *out = new(uint32) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KuryrConfig. -func (in *KuryrConfig) DeepCopy() *KuryrConfig { - if in == nil { - return nil - } - out := new(KuryrConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LoadBalancerStrategy) DeepCopyInto(out *LoadBalancerStrategy) { *out = *in diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index c101c8f70..d50e77e44 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -1300,7 +1300,6 @@ var map_DefaultNetworkDefinition = map[string]string{ "type": "type is the type of network All NetworkTypes are supported except for NetworkTypeRaw", "openshiftSDNConfig": "openShiftSDNConfig configures the openshift-sdn plugin", "ovnKubernetesConfig": "ovnKubernetesConfig configures the ovn-kubernetes plugin.", - "kuryrConfig": "KuryrConfig configures the kuryr plugin", } func (DefaultNetworkDefinition) SwaggerDoc() map[string]string { @@ -1393,22 +1392,6 @@ func (IPv6GatewayConfig) SwaggerDoc() map[string]string { return map_IPv6GatewayConfig } -var map_KuryrConfig = map[string]string{ - "": "KuryrConfig configures the Kuryr-Kubernetes SDN", - "daemonProbesPort": "The port kuryr-daemon will listen for readiness and liveness requests.", - "controllerProbesPort": "The port kuryr-controller will listen for readiness and liveness requests.", - "openStackServiceNetwork": "openStackServiceNetwork contains the CIDR of network from which to allocate IPs for OpenStack Octavia's Amphora VMs. Please note that with Amphora driver Octavia uses two IPs from that network for each loadbalancer - one given by OpenShift and second for VRRP connections. As the first one is managed by OpenShift's and second by Neutron's IPAMs, those need to come from different pools. Therefore `openStackServiceNetwork` needs to be at least twice the size of `serviceNetwork`, and whole `serviceNetwork` must be overlapping with `openStackServiceNetwork`. cluster-network-operator will then make sure VRRP IPs are taken from the ranges inside `openStackServiceNetwork` that are not overlapping with `serviceNetwork`, effectivly preventing conflicts. If not set cluster-network-operator will use `serviceNetwork` expanded by decrementing the prefix size by 1.", - "enablePortPoolsPrepopulation": "enablePortPoolsPrepopulation when true will make Kuryr prepopulate each newly created port pool with a minimum number of ports. Kuryr uses Neutron port pooling to fight the fact that it takes a significant amount of time to create one. It creates a number of ports when the first pod that is configured to use the dedicated network for pods is created in a namespace, and keeps them ready to be attached to pods. Port prepopulation is disabled by default.", - "poolMaxPorts": "poolMaxPorts sets a maximum number of free ports that are being kept in a port pool. If the number of ports exceeds this setting, free ports will get deleted. Setting 0 will disable this upper bound, effectively preventing pools from shrinking and this is the default value. For more information about port pools see enablePortPoolsPrepopulation setting.", - "poolMinPorts": "poolMinPorts sets a minimum number of free ports that should be kept in a port pool. If the number of ports is lower than this setting, new ports will get created and added to pool. The default is 1. For more information about port pools see enablePortPoolsPrepopulation setting.", - "poolBatchPorts": "poolBatchPorts sets a number of ports that should be created in a single batch request to extend the port pool. The default is 3. For more information about port pools see enablePortPoolsPrepopulation setting.", - "mtu": "mtu is the MTU that Kuryr should use when creating pod networks in Neutron. The value has to be lower or equal to the MTU of the nodes network and Neutron has to allow creation of tenant networks with such MTU. If unset Pod networks will be created with the same MTU as the nodes network has. This also affects the services network created by cluster-network-operator.", -} - -func (KuryrConfig) SwaggerDoc() map[string]string { - return map_KuryrConfig -} - var map_MTUMigration = map[string]string{ "": "MTUMigration MTU contains infomation about MTU migration.", "network": "network contains information about MTU migration for the default network. Migrations are only allowed to MTU values lower than the machine's uplink MTU by the minimum appropriate offset.", diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go index 8cbc83948..e1bb74c0c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go @@ -6,6 +6,7 @@ package v1 // with apply. type AuthenticationStatusApplyConfiguration struct { IntegratedOAuthMetadata *ConfigMapNameReferenceApplyConfiguration `json:"integratedOAuthMetadata,omitempty"` + OIDCClients []OIDCClientStatusApplyConfiguration `json:"oidcClients,omitempty"` } // AuthenticationStatusApplyConfiguration constructs an declarative configuration of the AuthenticationStatus type for use with @@ -21,3 +22,16 @@ func (b *AuthenticationStatusApplyConfiguration) WithIntegratedOAuthMetadata(val b.IntegratedOAuthMetadata = value return b } + +// WithOIDCClients adds the given value to the OIDCClients field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OIDCClients field. +func (b *AuthenticationStatusApplyConfiguration) WithOIDCClients(values ...*OIDCClientStatusApplyConfiguration) *AuthenticationStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOIDCClients") + } + b.OIDCClients = append(b.OIDCClients, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go deleted file mode 100644 index d96c5330b..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go +++ /dev/null @@ -1,51 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - v1 "github.com/openshift/api/config/v1" -) - -// BareMetalPlatformSpecApplyConfiguration represents an declarative configuration of the BareMetalPlatformSpec type for use -// with apply. -type BareMetalPlatformSpecApplyConfiguration struct { - APIServerInternalIPs []v1.IP `json:"apiServerInternalIPs,omitempty"` - IngressIPs []v1.IP `json:"ingressIPs,omitempty"` - MachineNetworks []v1.CIDR `json:"machineNetworks,omitempty"` -} - -// BareMetalPlatformSpecApplyConfiguration constructs an declarative configuration of the BareMetalPlatformSpec type for use with -// apply. -func BareMetalPlatformSpec() *BareMetalPlatformSpecApplyConfiguration { - return &BareMetalPlatformSpecApplyConfiguration{} -} - -// WithAPIServerInternalIPs adds the given value to the APIServerInternalIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the APIServerInternalIPs field. -func (b *BareMetalPlatformSpecApplyConfiguration) WithAPIServerInternalIPs(values ...v1.IP) *BareMetalPlatformSpecApplyConfiguration { - for i := range values { - b.APIServerInternalIPs = append(b.APIServerInternalIPs, values[i]) - } - return b -} - -// WithIngressIPs adds the given value to the IngressIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the IngressIPs field. -func (b *BareMetalPlatformSpecApplyConfiguration) WithIngressIPs(values ...v1.IP) *BareMetalPlatformSpecApplyConfiguration { - for i := range values { - b.IngressIPs = append(b.IngressIPs, values[i]) - } - return b -} - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *BareMetalPlatformSpecApplyConfiguration) WithMachineNetworks(values ...v1.CIDR) *BareMetalPlatformSpecApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go index 87873d49a..0c4ba2427 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go @@ -2,10 +2,6 @@ package v1 -import ( - configv1 "github.com/openshift/api/config/v1" -) - // BareMetalPlatformStatusApplyConfiguration represents an declarative configuration of the BareMetalPlatformStatus type for use // with apply. type BareMetalPlatformStatusApplyConfiguration struct { @@ -15,7 +11,6 @@ type BareMetalPlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *BareMetalPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` - MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } // BareMetalPlatformStatusApplyConfiguration constructs an declarative configuration of the BareMetalPlatformStatus type for use with @@ -75,13 +70,3 @@ func (b *BareMetalPlatformStatusApplyConfiguration) WithLoadBalancer(value *Bare b.LoadBalancer = value return b } - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *BareMetalPlatformStatusApplyConfiguration) WithMachineNetworks(values ...configv1.CIDR) *BareMetalPlatformStatusApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go index e99f5e251..e1fd4d37d 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go @@ -9,12 +9,13 @@ import ( // ClusterVersionSpecApplyConfiguration represents an declarative configuration of the ClusterVersionSpec type for use // with apply. type ClusterVersionSpecApplyConfiguration struct { - ClusterID *v1.ClusterID `json:"clusterID,omitempty"` - DesiredUpdate *UpdateApplyConfiguration `json:"desiredUpdate,omitempty"` - Upstream *v1.URL `json:"upstream,omitempty"` - Channel *string `json:"channel,omitempty"` - Capabilities *ClusterVersionCapabilitiesSpecApplyConfiguration `json:"capabilities,omitempty"` - Overrides []ComponentOverrideApplyConfiguration `json:"overrides,omitempty"` + ClusterID *v1.ClusterID `json:"clusterID,omitempty"` + DesiredUpdate *UpdateApplyConfiguration `json:"desiredUpdate,omitempty"` + Upstream *v1.URL `json:"upstream,omitempty"` + Channel *string `json:"channel,omitempty"` + Capabilities *ClusterVersionCapabilitiesSpecApplyConfiguration `json:"capabilities,omitempty"` + SignatureStores []SignatureStoreApplyConfiguration `json:"signatureStores,omitempty"` + Overrides []ComponentOverrideApplyConfiguration `json:"overrides,omitempty"` } // ClusterVersionSpecApplyConfiguration constructs an declarative configuration of the ClusterVersionSpec type for use with @@ -63,6 +64,19 @@ func (b *ClusterVersionSpecApplyConfiguration) WithCapabilities(value *ClusterVe return b } +// WithSignatureStores adds the given value to the SignatureStores field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the SignatureStores field. +func (b *ClusterVersionSpecApplyConfiguration) WithSignatureStores(values ...*SignatureStoreApplyConfiguration) *ClusterVersionSpecApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithSignatureStores") + } + b.SignatureStores = append(b.SignatureStores, *values[i]) + } + return b +} + // WithOverrides adds the given value to the Overrides field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Overrides field. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go index c37c88b8d..197bbae13 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go @@ -2,13 +2,18 @@ package v1 +import ( + configv1 "github.com/openshift/api/config/v1" +) + // GCPPlatformStatusApplyConfiguration represents an declarative configuration of the GCPPlatformStatus type for use // with apply. type GCPPlatformStatusApplyConfiguration struct { - ProjectID *string `json:"projectID,omitempty"` - Region *string `json:"region,omitempty"` - ResourceLabels []GCPResourceLabelApplyConfiguration `json:"resourceLabels,omitempty"` - ResourceTags []GCPResourceTagApplyConfiguration `json:"resourceTags,omitempty"` + ProjectID *string `json:"projectID,omitempty"` + Region *string `json:"region,omitempty"` + ResourceLabels []GCPResourceLabelApplyConfiguration `json:"resourceLabels,omitempty"` + ResourceTags []GCPResourceTagApplyConfiguration `json:"resourceTags,omitempty"` + ClusterHostedDNS *configv1.ClusterHostedDNS `json:"clusterHostedDNS,omitempty"` } // GCPPlatformStatusApplyConfiguration constructs an declarative configuration of the GCPPlatformStatus type for use with @@ -58,3 +63,11 @@ func (b *GCPPlatformStatusApplyConfiguration) WithResourceTags(values ...*GCPRes } return b } + +// WithClusterHostedDNS sets the ClusterHostedDNS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClusterHostedDNS field is set to the value of the last call. +func (b *GCPPlatformStatusApplyConfiguration) WithClusterHostedDNS(value configv1.ClusterHostedDNS) *GCPPlatformStatusApplyConfiguration { + b.ClusterHostedDNS = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go index 2ec8a82d1..f30f3c4a1 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go @@ -2,6 +2,10 @@ package v1 +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + // NetworkStatusApplyConfiguration represents an declarative configuration of the NetworkStatus type for use // with apply. type NetworkStatusApplyConfiguration struct { @@ -10,6 +14,7 @@ type NetworkStatusApplyConfiguration struct { NetworkType *string `json:"networkType,omitempty"` ClusterNetworkMTU *int `json:"clusterNetworkMTU,omitempty"` Migration *NetworkMigrationApplyConfiguration `json:"migration,omitempty"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } // NetworkStatusApplyConfiguration constructs an declarative configuration of the NetworkStatus type for use with @@ -64,3 +69,13 @@ func (b *NetworkStatusApplyConfiguration) WithMigration(value *NetworkMigrationA b.Migration = value return b } + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *NetworkStatusApplyConfiguration) WithConditions(values ...metav1.Condition) *NetworkStatusApplyConfiguration { + for i := range values { + b.Conditions = append(b.Conditions, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go new file mode 100644 index 000000000..1a66c43aa --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go @@ -0,0 +1,61 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// OIDCClientConfigApplyConfiguration represents an declarative configuration of the OIDCClientConfig type for use +// with apply. +type OIDCClientConfigApplyConfiguration struct { + ComponentName *string `json:"componentName,omitempty"` + ComponentNamespace *string `json:"componentNamespace,omitempty"` + ClientID *string `json:"clientID,omitempty"` + ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"` + ExtraScopes []string `json:"extraScopes,omitempty"` +} + +// OIDCClientConfigApplyConfiguration constructs an declarative configuration of the OIDCClientConfig type for use with +// apply. +func OIDCClientConfig() *OIDCClientConfigApplyConfiguration { + return &OIDCClientConfigApplyConfiguration{} +} + +// WithComponentName sets the ComponentName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ComponentName field is set to the value of the last call. +func (b *OIDCClientConfigApplyConfiguration) WithComponentName(value string) *OIDCClientConfigApplyConfiguration { + b.ComponentName = &value + return b +} + +// WithComponentNamespace sets the ComponentNamespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ComponentNamespace field is set to the value of the last call. +func (b *OIDCClientConfigApplyConfiguration) WithComponentNamespace(value string) *OIDCClientConfigApplyConfiguration { + b.ComponentNamespace = &value + return b +} + +// WithClientID sets the ClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientID field is set to the value of the last call. +func (b *OIDCClientConfigApplyConfiguration) WithClientID(value string) *OIDCClientConfigApplyConfiguration { + b.ClientID = &value + return b +} + +// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientSecret field is set to the value of the last call. +func (b *OIDCClientConfigApplyConfiguration) WithClientSecret(value *SecretNameReferenceApplyConfiguration) *OIDCClientConfigApplyConfiguration { + b.ClientSecret = value + return b +} + +// WithExtraScopes adds the given value to the ExtraScopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ExtraScopes field. +func (b *OIDCClientConfigApplyConfiguration) WithExtraScopes(values ...string) *OIDCClientConfigApplyConfiguration { + for i := range values { + b.ExtraScopes = append(b.ExtraScopes, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go new file mode 100644 index 000000000..3c20508e5 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go @@ -0,0 +1,41 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// OIDCClientReferenceApplyConfiguration represents an declarative configuration of the OIDCClientReference type for use +// with apply. +type OIDCClientReferenceApplyConfiguration struct { + OIDCProviderName *string `json:"oidcProviderName,omitempty"` + IssuerURL *string `json:"issuerURL,omitempty"` + ClientID *string `json:"clientID,omitempty"` +} + +// OIDCClientReferenceApplyConfiguration constructs an declarative configuration of the OIDCClientReference type for use with +// apply. +func OIDCClientReference() *OIDCClientReferenceApplyConfiguration { + return &OIDCClientReferenceApplyConfiguration{} +} + +// WithOIDCProviderName sets the OIDCProviderName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the OIDCProviderName field is set to the value of the last call. +func (b *OIDCClientReferenceApplyConfiguration) WithOIDCProviderName(value string) *OIDCClientReferenceApplyConfiguration { + b.OIDCProviderName = &value + return b +} + +// WithIssuerURL sets the IssuerURL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IssuerURL field is set to the value of the last call. +func (b *OIDCClientReferenceApplyConfiguration) WithIssuerURL(value string) *OIDCClientReferenceApplyConfiguration { + b.IssuerURL = &value + return b +} + +// WithClientID sets the ClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientID field is set to the value of the last call. +func (b *OIDCClientReferenceApplyConfiguration) WithClientID(value string) *OIDCClientReferenceApplyConfiguration { + b.ClientID = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go new file mode 100644 index 000000000..e4cf3f31c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go @@ -0,0 +1,73 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientStatusApplyConfiguration represents an declarative configuration of the OIDCClientStatus type for use +// with apply. +type OIDCClientStatusApplyConfiguration struct { + ComponentName *string `json:"componentName,omitempty"` + ComponentNamespace *string `json:"componentNamespace,omitempty"` + CurrentOIDCClients []OIDCClientReferenceApplyConfiguration `json:"currentOIDCClients,omitempty"` + ConsumingUsers []configv1.ConsumingUser `json:"consumingUsers,omitempty"` + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// OIDCClientStatusApplyConfiguration constructs an declarative configuration of the OIDCClientStatus type for use with +// apply. +func OIDCClientStatus() *OIDCClientStatusApplyConfiguration { + return &OIDCClientStatusApplyConfiguration{} +} + +// WithComponentName sets the ComponentName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ComponentName field is set to the value of the last call. +func (b *OIDCClientStatusApplyConfiguration) WithComponentName(value string) *OIDCClientStatusApplyConfiguration { + b.ComponentName = &value + return b +} + +// WithComponentNamespace sets the ComponentNamespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ComponentNamespace field is set to the value of the last call. +func (b *OIDCClientStatusApplyConfiguration) WithComponentNamespace(value string) *OIDCClientStatusApplyConfiguration { + b.ComponentNamespace = &value + return b +} + +// WithCurrentOIDCClients adds the given value to the CurrentOIDCClients field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the CurrentOIDCClients field. +func (b *OIDCClientStatusApplyConfiguration) WithCurrentOIDCClients(values ...*OIDCClientReferenceApplyConfiguration) *OIDCClientStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithCurrentOIDCClients") + } + b.CurrentOIDCClients = append(b.CurrentOIDCClients, *values[i]) + } + return b +} + +// WithConsumingUsers adds the given value to the ConsumingUsers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ConsumingUsers field. +func (b *OIDCClientStatusApplyConfiguration) WithConsumingUsers(values ...configv1.ConsumingUser) *OIDCClientStatusApplyConfiguration { + for i := range values { + b.ConsumingUsers = append(b.ConsumingUsers, values[i]) + } + return b +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *OIDCClientStatusApplyConfiguration) WithConditions(values ...metav1.Condition) *OIDCClientStatusApplyConfiguration { + for i := range values { + b.Conditions = append(b.Conditions, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go index c554a2662..d700ea5e1 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go @@ -7,6 +7,7 @@ package v1 type OIDCProviderApplyConfiguration struct { Name *string `json:"name,omitempty"` Issuer *TokenIssuerApplyConfiguration `json:"issuer,omitempty"` + OIDCClients []OIDCClientConfigApplyConfiguration `json:"oidcClients,omitempty"` ClaimMappings *TokenClaimMappingsApplyConfiguration `json:"claimMappings,omitempty"` ClaimValidationRules []TokenClaimValidationRuleApplyConfiguration `json:"claimValidationRules,omitempty"` } @@ -33,6 +34,19 @@ func (b *OIDCProviderApplyConfiguration) WithIssuer(value *TokenIssuerApplyConfi return b } +// WithOIDCClients adds the given value to the OIDCClients field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OIDCClients field. +func (b *OIDCProviderApplyConfiguration) WithOIDCClients(values ...*OIDCClientConfigApplyConfiguration) *OIDCProviderApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOIDCClients") + } + b.OIDCClients = append(b.OIDCClients, *values[i]) + } + return b +} + // WithClaimMappings sets the ClaimMappings field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the ClaimMappings field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go deleted file mode 100644 index 3a54152ae..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go +++ /dev/null @@ -1,51 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - v1 "github.com/openshift/api/config/v1" -) - -// OpenStackPlatformSpecApplyConfiguration represents an declarative configuration of the OpenStackPlatformSpec type for use -// with apply. -type OpenStackPlatformSpecApplyConfiguration struct { - APIServerInternalIPs []v1.IP `json:"apiServerInternalIPs,omitempty"` - IngressIPs []v1.IP `json:"ingressIPs,omitempty"` - MachineNetworks []v1.CIDR `json:"machineNetworks,omitempty"` -} - -// OpenStackPlatformSpecApplyConfiguration constructs an declarative configuration of the OpenStackPlatformSpec type for use with -// apply. -func OpenStackPlatformSpec() *OpenStackPlatformSpecApplyConfiguration { - return &OpenStackPlatformSpecApplyConfiguration{} -} - -// WithAPIServerInternalIPs adds the given value to the APIServerInternalIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the APIServerInternalIPs field. -func (b *OpenStackPlatformSpecApplyConfiguration) WithAPIServerInternalIPs(values ...v1.IP) *OpenStackPlatformSpecApplyConfiguration { - for i := range values { - b.APIServerInternalIPs = append(b.APIServerInternalIPs, values[i]) - } - return b -} - -// WithIngressIPs adds the given value to the IngressIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the IngressIPs field. -func (b *OpenStackPlatformSpecApplyConfiguration) WithIngressIPs(values ...v1.IP) *OpenStackPlatformSpecApplyConfiguration { - for i := range values { - b.IngressIPs = append(b.IngressIPs, values[i]) - } - return b -} - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *OpenStackPlatformSpecApplyConfiguration) WithMachineNetworks(values ...v1.CIDR) *OpenStackPlatformSpecApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go index 8cfab14db..56e3f30a4 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go @@ -2,10 +2,6 @@ package v1 -import ( - configv1 "github.com/openshift/api/config/v1" -) - // OpenStackPlatformStatusApplyConfiguration represents an declarative configuration of the OpenStackPlatformStatus type for use // with apply. type OpenStackPlatformStatusApplyConfiguration struct { @@ -16,7 +12,6 @@ type OpenStackPlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *OpenStackPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` - MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } // OpenStackPlatformStatusApplyConfiguration constructs an declarative configuration of the OpenStackPlatformStatus type for use with @@ -84,13 +79,3 @@ func (b *OpenStackPlatformStatusApplyConfiguration) WithLoadBalancer(value *Open b.LoadBalancer = value return b } - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *OpenStackPlatformStatusApplyConfiguration) WithMachineNetworks(values ...configv1.CIDR) *OpenStackPlatformStatusApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go index b5d001691..080b2d4f2 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go @@ -9,21 +9,21 @@ import ( // PlatformSpecApplyConfiguration represents an declarative configuration of the PlatformSpec type for use // with apply. type PlatformSpecApplyConfiguration struct { - Type *v1.PlatformType `json:"type,omitempty"` - AWS *AWSPlatformSpecApplyConfiguration `json:"aws,omitempty"` - Azure *v1.AzurePlatformSpec `json:"azure,omitempty"` - GCP *v1.GCPPlatformSpec `json:"gcp,omitempty"` - BareMetal *BareMetalPlatformSpecApplyConfiguration `json:"baremetal,omitempty"` - OpenStack *OpenStackPlatformSpecApplyConfiguration `json:"openstack,omitempty"` - Ovirt *v1.OvirtPlatformSpec `json:"ovirt,omitempty"` - VSphere *VSpherePlatformSpecApplyConfiguration `json:"vsphere,omitempty"` - IBMCloud *v1.IBMCloudPlatformSpec `json:"ibmcloud,omitempty"` - Kubevirt *v1.KubevirtPlatformSpec `json:"kubevirt,omitempty"` - EquinixMetal *v1.EquinixMetalPlatformSpec `json:"equinixMetal,omitempty"` - PowerVS *PowerVSPlatformSpecApplyConfiguration `json:"powervs,omitempty"` - AlibabaCloud *v1.AlibabaCloudPlatformSpec `json:"alibabaCloud,omitempty"` - Nutanix *NutanixPlatformSpecApplyConfiguration `json:"nutanix,omitempty"` - External *ExternalPlatformSpecApplyConfiguration `json:"external,omitempty"` + Type *v1.PlatformType `json:"type,omitempty"` + AWS *AWSPlatformSpecApplyConfiguration `json:"aws,omitempty"` + Azure *v1.AzurePlatformSpec `json:"azure,omitempty"` + GCP *v1.GCPPlatformSpec `json:"gcp,omitempty"` + BareMetal *v1.BareMetalPlatformSpec `json:"baremetal,omitempty"` + OpenStack *v1.OpenStackPlatformSpec `json:"openstack,omitempty"` + Ovirt *v1.OvirtPlatformSpec `json:"ovirt,omitempty"` + VSphere *VSpherePlatformSpecApplyConfiguration `json:"vsphere,omitempty"` + IBMCloud *v1.IBMCloudPlatformSpec `json:"ibmcloud,omitempty"` + Kubevirt *v1.KubevirtPlatformSpec `json:"kubevirt,omitempty"` + EquinixMetal *v1.EquinixMetalPlatformSpec `json:"equinixMetal,omitempty"` + PowerVS *PowerVSPlatformSpecApplyConfiguration `json:"powervs,omitempty"` + AlibabaCloud *v1.AlibabaCloudPlatformSpec `json:"alibabaCloud,omitempty"` + Nutanix *NutanixPlatformSpecApplyConfiguration `json:"nutanix,omitempty"` + External *ExternalPlatformSpecApplyConfiguration `json:"external,omitempty"` } // PlatformSpecApplyConfiguration constructs an declarative configuration of the PlatformSpec type for use with @@ -67,16 +67,16 @@ func (b *PlatformSpecApplyConfiguration) WithGCP(value v1.GCPPlatformSpec) *Plat // WithBareMetal sets the BareMetal field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the BareMetal field is set to the value of the last call. -func (b *PlatformSpecApplyConfiguration) WithBareMetal(value *BareMetalPlatformSpecApplyConfiguration) *PlatformSpecApplyConfiguration { - b.BareMetal = value +func (b *PlatformSpecApplyConfiguration) WithBareMetal(value v1.BareMetalPlatformSpec) *PlatformSpecApplyConfiguration { + b.BareMetal = &value return b } // WithOpenStack sets the OpenStack field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the OpenStack field is set to the value of the last call. -func (b *PlatformSpecApplyConfiguration) WithOpenStack(value *OpenStackPlatformSpecApplyConfiguration) *PlatformSpecApplyConfiguration { - b.OpenStack = value +func (b *PlatformSpecApplyConfiguration) WithOpenStack(value v1.OpenStackPlatformSpec) *PlatformSpecApplyConfiguration { + b.OpenStack = &value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go new file mode 100644 index 000000000..b0d95c6e7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SignatureStoreApplyConfiguration represents an declarative configuration of the SignatureStore type for use +// with apply. +type SignatureStoreApplyConfiguration struct { + URL *string `json:"url,omitempty"` + CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"` +} + +// SignatureStoreApplyConfiguration constructs an declarative configuration of the SignatureStore type for use with +// apply. +func SignatureStore() *SignatureStoreApplyConfiguration { + return &SignatureStoreApplyConfiguration{} +} + +// WithURL sets the URL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the URL field is set to the value of the last call. +func (b *SignatureStoreApplyConfiguration) WithURL(value string) *SignatureStoreApplyConfiguration { + b.URL = &value + return b +} + +// WithCA sets the CA field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CA field is set to the value of the last call. +func (b *SignatureStoreApplyConfiguration) WithCA(value *ConfigMapNameReferenceApplyConfiguration) *SignatureStoreApplyConfiguration { + b.CA = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go index f51fc93d5..3223b2ddf 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go @@ -2,19 +2,12 @@ package v1 -import ( - configv1 "github.com/openshift/api/config/v1" -) - // VSpherePlatformSpecApplyConfiguration represents an declarative configuration of the VSpherePlatformSpec type for use // with apply. type VSpherePlatformSpecApplyConfiguration struct { - VCenters []VSpherePlatformVCenterSpecApplyConfiguration `json:"vcenters,omitempty"` - FailureDomains []VSpherePlatformFailureDomainSpecApplyConfiguration `json:"failureDomains,omitempty"` - NodeNetworking *VSpherePlatformNodeNetworkingApplyConfiguration `json:"nodeNetworking,omitempty"` - APIServerInternalIPs []configv1.IP `json:"apiServerInternalIPs,omitempty"` - IngressIPs []configv1.IP `json:"ingressIPs,omitempty"` - MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` + VCenters []VSpherePlatformVCenterSpecApplyConfiguration `json:"vcenters,omitempty"` + FailureDomains []VSpherePlatformFailureDomainSpecApplyConfiguration `json:"failureDomains,omitempty"` + NodeNetworking *VSpherePlatformNodeNetworkingApplyConfiguration `json:"nodeNetworking,omitempty"` } // VSpherePlatformSpecApplyConfiguration constructs an declarative configuration of the VSpherePlatformSpec type for use with @@ -56,33 +49,3 @@ func (b *VSpherePlatformSpecApplyConfiguration) WithNodeNetworking(value *VSpher b.NodeNetworking = value return b } - -// WithAPIServerInternalIPs adds the given value to the APIServerInternalIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the APIServerInternalIPs field. -func (b *VSpherePlatformSpecApplyConfiguration) WithAPIServerInternalIPs(values ...configv1.IP) *VSpherePlatformSpecApplyConfiguration { - for i := range values { - b.APIServerInternalIPs = append(b.APIServerInternalIPs, values[i]) - } - return b -} - -// WithIngressIPs adds the given value to the IngressIPs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the IngressIPs field. -func (b *VSpherePlatformSpecApplyConfiguration) WithIngressIPs(values ...configv1.IP) *VSpherePlatformSpecApplyConfiguration { - for i := range values { - b.IngressIPs = append(b.IngressIPs, values[i]) - } - return b -} - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *VSpherePlatformSpecApplyConfiguration) WithMachineNetworks(values ...configv1.CIDR) *VSpherePlatformSpecApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go index 11a0420d5..01e6fe9fe 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go @@ -2,10 +2,6 @@ package v1 -import ( - configv1 "github.com/openshift/api/config/v1" -) - // VSpherePlatformStatusApplyConfiguration represents an declarative configuration of the VSpherePlatformStatus type for use // with apply. type VSpherePlatformStatusApplyConfiguration struct { @@ -15,7 +11,6 @@ type VSpherePlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *VSpherePlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` - MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } // VSpherePlatformStatusApplyConfiguration constructs an declarative configuration of the VSpherePlatformStatus type for use with @@ -75,13 +70,3 @@ func (b *VSpherePlatformStatusApplyConfiguration) WithLoadBalancer(value *VSpher b.LoadBalancer = value return b } - -// WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the MachineNetworks field. -func (b *VSpherePlatformStatusApplyConfiguration) WithMachineNetworks(values ...configv1.CIDR) *VSpherePlatformStatusApplyConfiguration { - for i := range values { - b.MachineNetworks = append(b.MachineNetworks, values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go new file mode 100644 index 000000000..68089a6a7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go @@ -0,0 +1,240 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterImagePolicyApplyConfiguration represents an declarative configuration of the ClusterImagePolicy type for use +// with apply. +type ClusterImagePolicyApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *ClusterImagePolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ClusterImagePolicy constructs an declarative configuration of the ClusterImagePolicy type for use with +// apply. +func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration { + b := &ClusterImagePolicyApplyConfiguration{} + b.WithName(name) + b.WithKind("ClusterImagePolicy") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b +} + +// ExtractClusterImagePolicy extracts the applied configuration owned by fieldManager from +// clusterImagePolicy. If no managedFields are found in clusterImagePolicy for fieldManager, a +// ClusterImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// clusterImagePolicy must be a unmodified ClusterImagePolicy API object that was retrieved from the Kubernetes API. +// ExtractClusterImagePolicy provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractClusterImagePolicy(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) { + return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "") +} + +// ExtractClusterImagePolicyStatus is the same as ExtractClusterImagePolicy except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractClusterImagePolicyStatus(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) { + return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "status") +} + +func extractClusterImagePolicy(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) { + b := &ClusterImagePolicyApplyConfiguration{} + err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ClusterImagePolicy"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(clusterImagePolicy.Name) + + b.WithKind("ClusterImagePolicy") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b, nil +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithKind(value string) *ClusterImagePolicyApplyConfiguration { + b.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithAPIVersion(value string) *ClusterImagePolicyApplyConfiguration { + b.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithName(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithGenerateName(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithNamespace(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithUID(value types.UID) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithResourceVersion(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithGeneration(value int64) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ClusterImagePolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Labels == nil && len(entries) > 0 { + b.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ClusterImagePolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Annotations == nil && len(entries) > 0 { + b.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ClusterImagePolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.OwnerReferences = append(b.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ClusterImagePolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.Finalizers = append(b.Finalizers, values[i]) + } + return b +} + +func (b *ClusterImagePolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithSpec(value *ClusterImagePolicySpecApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithStatus(value *ClusterImagePolicyStatusApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.Status = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go new file mode 100644 index 000000000..64dfa92dd --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go @@ -0,0 +1,38 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// ClusterImagePolicySpecApplyConfiguration represents an declarative configuration of the ClusterImagePolicySpec type for use +// with apply. +type ClusterImagePolicySpecApplyConfiguration struct { + Scopes []v1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *PolicyApplyConfiguration `json:"policy,omitempty"` +} + +// ClusterImagePolicySpecApplyConfiguration constructs an declarative configuration of the ClusterImagePolicySpec type for use with +// apply. +func ClusterImagePolicySpec() *ClusterImagePolicySpecApplyConfiguration { + return &ClusterImagePolicySpecApplyConfiguration{} +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...v1alpha1.ImageScope) *ClusterImagePolicySpecApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { + b.Policy = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go new file mode 100644 index 000000000..8f9c3a44c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go @@ -0,0 +1,29 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// ClusterImagePolicyStatusApplyConfiguration represents an declarative configuration of the ClusterImagePolicyStatus type for use +// with apply. +type ClusterImagePolicyStatusApplyConfiguration struct { + Conditions []v1.Condition `json:"conditions,omitempty"` +} + +// ClusterImagePolicyStatusApplyConfiguration constructs an declarative configuration of the ClusterImagePolicyStatus type for use with +// apply. +func ClusterImagePolicyStatus() *ClusterImagePolicyStatusApplyConfiguration { + return &ClusterImagePolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ClusterImagePolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition) *ClusterImagePolicyStatusApplyConfiguration { + for i := range values { + b.Conditions = append(b.Conditions, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go new file mode 100644 index 000000000..6fe09c0eb --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go @@ -0,0 +1,41 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// FulcioCAWithRekorApplyConfiguration represents an declarative configuration of the FulcioCAWithRekor type for use +// with apply. +type FulcioCAWithRekorApplyConfiguration struct { + FulcioCAData *string `json:"fulcioCAData,omitempty"` + RekorKeyData *string `json:"rekorKeyData,omitempty"` + FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` +} + +// FulcioCAWithRekorApplyConfiguration constructs an declarative configuration of the FulcioCAWithRekor type for use with +// apply. +func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { + return &FulcioCAWithRekorApplyConfiguration{} +} + +// WithFulcioCAData sets the FulcioCAData field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FulcioCAData field is set to the value of the last call. +func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(value string) *FulcioCAWithRekorApplyConfiguration { + b.FulcioCAData = &value + return b +} + +// WithRekorKeyData sets the RekorKeyData field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RekorKeyData field is set to the value of the last call. +func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(value string) *FulcioCAWithRekorApplyConfiguration { + b.RekorKeyData = &value + return b +} + +// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FulcioSubject field is set to the value of the last call. +func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { + b.FulcioSubject = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go new file mode 100644 index 000000000..412a28fc7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go @@ -0,0 +1,242 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ImagePolicyApplyConfiguration represents an declarative configuration of the ImagePolicy type for use +// with apply. +type ImagePolicyApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *ImagePolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ImagePolicy constructs an declarative configuration of the ImagePolicy type for use with +// apply. +func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration { + b := &ImagePolicyApplyConfiguration{} + b.WithName(name) + b.WithNamespace(namespace) + b.WithKind("ImagePolicy") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b +} + +// ExtractImagePolicy extracts the applied configuration owned by fieldManager from +// imagePolicy. If no managedFields are found in imagePolicy for fieldManager, a +// ImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// imagePolicy must be a unmodified ImagePolicy API object that was retrieved from the Kubernetes API. +// ExtractImagePolicy provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractImagePolicy(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) { + return extractImagePolicy(imagePolicy, fieldManager, "") +} + +// ExtractImagePolicyStatus is the same as ExtractImagePolicy except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractImagePolicyStatus(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) { + return extractImagePolicy(imagePolicy, fieldManager, "status") +} + +func extractImagePolicy(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) { + b := &ImagePolicyApplyConfiguration{} + err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ImagePolicy"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(imagePolicy.Name) + b.WithNamespace(imagePolicy.Namespace) + + b.WithKind("ImagePolicy") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b, nil +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithKind(value string) *ImagePolicyApplyConfiguration { + b.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithAPIVersion(value string) *ImagePolicyApplyConfiguration { + b.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithName(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithGenerateName(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithNamespace(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithUID(value types.UID) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithResourceVersion(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithGeneration(value int64) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ImagePolicyApplyConfiguration) WithLabels(entries map[string]string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Labels == nil && len(entries) > 0 { + b.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ImagePolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Annotations == nil && len(entries) > 0 { + b.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ImagePolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.OwnerReferences = append(b.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ImagePolicyApplyConfiguration) WithFinalizers(values ...string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.Finalizers = append(b.Finalizers, values[i]) + } + return b +} + +func (b *ImagePolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithSpec(value *ImagePolicySpecApplyConfiguration) *ImagePolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithStatus(value *ImagePolicyStatusApplyConfiguration) *ImagePolicyApplyConfiguration { + b.Status = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go new file mode 100644 index 000000000..aecf932a7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go @@ -0,0 +1,38 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// ImagePolicySpecApplyConfiguration represents an declarative configuration of the ImagePolicySpec type for use +// with apply. +type ImagePolicySpecApplyConfiguration struct { + Scopes []v1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *PolicyApplyConfiguration `json:"policy,omitempty"` +} + +// ImagePolicySpecApplyConfiguration constructs an declarative configuration of the ImagePolicySpec type for use with +// apply. +func ImagePolicySpec() *ImagePolicySpecApplyConfiguration { + return &ImagePolicySpecApplyConfiguration{} +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...v1alpha1.ImageScope) *ImagePolicySpecApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { + b.Policy = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go new file mode 100644 index 000000000..d27a4d3c8 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go @@ -0,0 +1,29 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// ImagePolicyStatusApplyConfiguration represents an declarative configuration of the ImagePolicyStatus type for use +// with apply. +type ImagePolicyStatusApplyConfiguration struct { + Conditions []v1.Condition `json:"conditions,omitempty"` +} + +// ImagePolicyStatusApplyConfiguration constructs an declarative configuration of the ImagePolicyStatus type for use with +// apply. +func ImagePolicyStatus() *ImagePolicyStatusApplyConfiguration { + return &ImagePolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ImagePolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition) *ImagePolicyStatusApplyConfiguration { + for i := range values { + b.Conditions = append(b.Conditions, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go new file mode 100644 index 000000000..f4697d2bb --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// PolicyApplyConfiguration represents an declarative configuration of the Policy type for use +// with apply. +type PolicyApplyConfiguration struct { + RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` + SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` +} + +// PolicyApplyConfiguration constructs an declarative configuration of the Policy type for use with +// apply. +func Policy() *PolicyApplyConfiguration { + return &PolicyApplyConfiguration{} +} + +// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RootOfTrust field is set to the value of the last call. +func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { + b.RootOfTrust = value + return b +} + +// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedIdentity field is set to the value of the last call. +func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { + b.SignedIdentity = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go new file mode 100644 index 000000000..98b0db590 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// PolicyFulcioSubjectApplyConfiguration represents an declarative configuration of the PolicyFulcioSubject type for use +// with apply. +type PolicyFulcioSubjectApplyConfiguration struct { + OIDCIssuer *string `json:"oidcIssuer,omitempty"` + SignedEmail *string `json:"signedEmail,omitempty"` +} + +// PolicyFulcioSubjectApplyConfiguration constructs an declarative configuration of the PolicyFulcioSubject type for use with +// apply. +func PolicyFulcioSubject() *PolicyFulcioSubjectApplyConfiguration { + return &PolicyFulcioSubjectApplyConfiguration{} +} + +// WithOIDCIssuer sets the OIDCIssuer field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the OIDCIssuer field is set to the value of the last call. +func (b *PolicyFulcioSubjectApplyConfiguration) WithOIDCIssuer(value string) *PolicyFulcioSubjectApplyConfiguration { + b.OIDCIssuer = &value + return b +} + +// WithSignedEmail sets the SignedEmail field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedEmail field is set to the value of the last call. +func (b *PolicyFulcioSubjectApplyConfiguration) WithSignedEmail(value string) *PolicyFulcioSubjectApplyConfiguration { + b.SignedEmail = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go new file mode 100644 index 000000000..ef4769d02 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go @@ -0,0 +1,45 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// PolicyIdentityApplyConfiguration represents an declarative configuration of the PolicyIdentity type for use +// with apply. +type PolicyIdentityApplyConfiguration struct { + MatchPolicy *v1alpha1.IdentityMatchPolicy `json:"matchPolicy,omitempty"` + PolicyMatchExactRepository *PolicyMatchExactRepositoryApplyConfiguration `json:"exactRepository,omitempty"` + PolicyMatchRemapIdentity *PolicyMatchRemapIdentityApplyConfiguration `json:"remapIdentity,omitempty"` +} + +// PolicyIdentityApplyConfiguration constructs an declarative configuration of the PolicyIdentity type for use with +// apply. +func PolicyIdentity() *PolicyIdentityApplyConfiguration { + return &PolicyIdentityApplyConfiguration{} +} + +// WithMatchPolicy sets the MatchPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MatchPolicy field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithMatchPolicy(value v1alpha1.IdentityMatchPolicy) *PolicyIdentityApplyConfiguration { + b.MatchPolicy = &value + return b +} + +// WithPolicyMatchExactRepository sets the PolicyMatchExactRepository field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyMatchExactRepository field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithPolicyMatchExactRepository(value *PolicyMatchExactRepositoryApplyConfiguration) *PolicyIdentityApplyConfiguration { + b.PolicyMatchExactRepository = value + return b +} + +// WithPolicyMatchRemapIdentity sets the PolicyMatchRemapIdentity field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyMatchRemapIdentity field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithPolicyMatchRemapIdentity(value *PolicyMatchRemapIdentityApplyConfiguration) *PolicyIdentityApplyConfiguration { + b.PolicyMatchRemapIdentity = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go new file mode 100644 index 000000000..6bf36d733 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go @@ -0,0 +1,27 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// PolicyMatchExactRepositoryApplyConfiguration represents an declarative configuration of the PolicyMatchExactRepository type for use +// with apply. +type PolicyMatchExactRepositoryApplyConfiguration struct { + Repository *v1alpha1.IdentityRepositoryPrefix `json:"repository,omitempty"` +} + +// PolicyMatchExactRepositoryApplyConfiguration constructs an declarative configuration of the PolicyMatchExactRepository type for use with +// apply. +func PolicyMatchExactRepository() *PolicyMatchExactRepositoryApplyConfiguration { + return &PolicyMatchExactRepositoryApplyConfiguration{} +} + +// WithRepository sets the Repository field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Repository field is set to the value of the last call. +func (b *PolicyMatchExactRepositoryApplyConfiguration) WithRepository(value v1alpha1.IdentityRepositoryPrefix) *PolicyMatchExactRepositoryApplyConfiguration { + b.Repository = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go new file mode 100644 index 000000000..20ecf141c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// PolicyMatchRemapIdentityApplyConfiguration represents an declarative configuration of the PolicyMatchRemapIdentity type for use +// with apply. +type PolicyMatchRemapIdentityApplyConfiguration struct { + Prefix *v1alpha1.IdentityRepositoryPrefix `json:"prefix,omitempty"` + SignedPrefix *v1alpha1.IdentityRepositoryPrefix `json:"signedPrefix,omitempty"` +} + +// PolicyMatchRemapIdentityApplyConfiguration constructs an declarative configuration of the PolicyMatchRemapIdentity type for use with +// apply. +func PolicyMatchRemapIdentity() *PolicyMatchRemapIdentityApplyConfiguration { + return &PolicyMatchRemapIdentityApplyConfiguration{} +} + +// WithPrefix sets the Prefix field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Prefix field is set to the value of the last call. +func (b *PolicyMatchRemapIdentityApplyConfiguration) WithPrefix(value v1alpha1.IdentityRepositoryPrefix) *PolicyMatchRemapIdentityApplyConfiguration { + b.Prefix = &value + return b +} + +// WithSignedPrefix sets the SignedPrefix field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedPrefix field is set to the value of the last call. +func (b *PolicyMatchRemapIdentityApplyConfiguration) WithSignedPrefix(value v1alpha1.IdentityRepositoryPrefix) *PolicyMatchRemapIdentityApplyConfiguration { + b.SignedPrefix = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go new file mode 100644 index 000000000..cc442ddae --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go @@ -0,0 +1,45 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// PolicyRootOfTrustApplyConfiguration represents an declarative configuration of the PolicyRootOfTrust type for use +// with apply. +type PolicyRootOfTrustApplyConfiguration struct { + PolicyType *v1alpha1.PolicyType `json:"policyType,omitempty"` + PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` +} + +// PolicyRootOfTrustApplyConfiguration constructs an declarative configuration of the PolicyRootOfTrust type for use with +// apply. +func PolicyRootOfTrust() *PolicyRootOfTrustApplyConfiguration { + return &PolicyRootOfTrustApplyConfiguration{} +} + +// WithPolicyType sets the PolicyType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyType field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value v1alpha1.PolicyType) *PolicyRootOfTrustApplyConfiguration { + b.PolicyType = &value + return b +} + +// WithPublicKey sets the PublicKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PublicKey field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { + b.PublicKey = value + return b +} + +// WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { + b.FulcioCAWithRekor = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go new file mode 100644 index 000000000..456fe9c86 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// PublicKeyApplyConfiguration represents an declarative configuration of the PublicKey type for use +// with apply. +type PublicKeyApplyConfiguration struct { + KeyData *string `json:"keyData,omitempty"` + RekorKeyData *string `json:"rekorKeyData,omitempty"` +} + +// PublicKeyApplyConfiguration constructs an declarative configuration of the PublicKey type for use with +// apply. +func PublicKey() *PublicKeyApplyConfiguration { + return &PublicKeyApplyConfiguration{} +} + +// WithKeyData sets the KeyData field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KeyData field is set to the value of the last call. +func (b *PublicKeyApplyConfiguration) WithKeyData(value string) *PublicKeyApplyConfiguration { + b.KeyData = &value + return b +} + +// WithRekorKeyData sets the RekorKeyData field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RekorKeyData field is set to the value of the last call. +func (b *PublicKeyApplyConfiguration) WithRekorKeyData(value string) *PublicKeyApplyConfiguration { + b.RekorKeyData = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 1bde99cc2..443fc19e0 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -302,6 +302,15 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.ConfigMapNameReference default: {} + - name: oidcClients + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.OIDCClientStatus + elementRelationship: associative + keys: + - componentNamespace + - componentName - name: com.github.openshift.api.config.v1.AzurePlatformSpec map: elementType: @@ -358,25 +367,16 @@ var schemaYAML = typed.YAMLObject(`types: - discriminator: type - name: com.github.openshift.api.config.v1.BareMetalPlatformSpec map: - fields: - - name: apiServerInternalIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - - name: ingressIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - - name: machineNetworks - type: - list: - elementType: - scalar: string - elementRelationship: associative + elementType: + scalar: untyped + list: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic + map: + elementType: + namedType: __untyped_deduced_ + elementRelationship: separable - name: com.github.openshift.api.config.v1.BareMetalPlatformStatus map: fields: @@ -388,7 +388,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: ingressIP type: scalar: string @@ -397,18 +397,12 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: loadBalancer type: namedType: com.github.openshift.api.config.v1.BareMetalPlatformLoadBalancer default: type: OpenShiftManagedDefault - - name: machineNetworks - type: - list: - elementType: - scalar: string - elementRelationship: associative - name: nodeDNSIP type: scalar: string @@ -688,7 +682,20 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: namedType: com.github.openshift.api.config.v1.ComponentOverride - elementRelationship: atomic + elementRelationship: associative + keys: + - kind + - group + - namespace + - name + - name: signatureStores + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.SignatureStore + elementRelationship: associative + keys: + - url - name: upstream type: scalar: string @@ -716,7 +723,9 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: namedType: com.github.openshift.api.config.v1.ClusterOperatorStatusCondition - elementRelationship: atomic + elementRelationship: associative + keys: + - type - name: desired type: namedType: com.github.openshift.api.config.v1.Release @@ -1188,6 +1197,10 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1.GCPPlatformStatus map: fields: + - name: clusterHostedDNS + type: + scalar: string + default: Disabled - name: projectID type: scalar: string @@ -2003,6 +2016,14 @@ var schemaYAML = typed.YAMLObject(`types: - name: clusterNetworkMTU type: scalar: numeric + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: migration type: namedType: com.github.openshift.api.config.v1.NetworkMigration @@ -2119,7 +2140,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: ingressIP type: scalar: string @@ -2128,7 +2149,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: loadBalancer type: namedType: com.github.openshift.api.config.v1.NutanixPlatformLoadBalancer @@ -2241,6 +2262,80 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.SecretNameReference default: {} +- name: com.github.openshift.api.config.v1.OIDCClientConfig + map: + fields: + - name: clientID + type: + scalar: string + default: "" + - name: clientSecret + type: + namedType: com.github.openshift.api.config.v1.SecretNameReference + default: {} + - name: componentName + type: + scalar: string + default: "" + - name: componentNamespace + type: + scalar: string + default: "" + - name: extraScopes + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1.OIDCClientReference + map: + fields: + - name: clientID + type: + scalar: string + default: "" + - name: issuerURL + type: + scalar: string + default: "" + - name: oidcProviderName + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1.OIDCClientStatus + map: + fields: + - name: componentName + type: + scalar: string + default: "" + - name: componentNamespace + type: + scalar: string + default: "" + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type + - name: consumingUsers + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: currentOIDCClients + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.OIDCClientReference + elementRelationship: associative + keys: + - issuerURL + - clientID - name: com.github.openshift.api.config.v1.OIDCProvider map: fields: @@ -2262,6 +2357,15 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" + - name: oidcClients + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.OIDCClientConfig + elementRelationship: associative + keys: + - componentNamespace + - componentName - name: com.github.openshift.api.config.v1.ObjectReference map: fields: @@ -2364,25 +2468,16 @@ var schemaYAML = typed.YAMLObject(`types: - discriminator: type - name: com.github.openshift.api.config.v1.OpenStackPlatformSpec map: - fields: - - name: apiServerInternalIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - - name: ingressIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - - name: machineNetworks - type: - list: - elementType: - scalar: string - elementRelationship: associative + elementType: + scalar: untyped + list: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic + map: + elementType: + namedType: __untyped_deduced_ + elementRelationship: separable - name: com.github.openshift.api.config.v1.OpenStackPlatformStatus map: fields: @@ -2394,7 +2489,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: cloudName type: scalar: string @@ -2406,18 +2501,12 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: loadBalancer type: namedType: com.github.openshift.api.config.v1.OpenStackPlatformLoadBalancer default: type: OpenShiftManagedDefault - - name: machineNetworks - type: - list: - elementType: - scalar: string - elementRelationship: associative - name: nodeDNSIP type: scalar: string @@ -2506,7 +2595,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: ingressIP type: scalar: string @@ -2515,7 +2604,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: loadBalancer type: namedType: com.github.openshift.api.config.v1.OvirtPlatformLoadBalancer @@ -2655,7 +2744,9 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: namedType: com.github.openshift.api.config.v1.PowerVSServiceEndpoint - elementRelationship: atomic + elementRelationship: associative + keys: + - name - name: zone type: scalar: string @@ -2833,7 +2924,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: image type: scalar: string @@ -2985,6 +3076,17 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.SignatureStore + map: + fields: + - name: ca + type: + namedType: com.github.openshift.api.config.v1.ConfigMapNameReference + default: {} + - name: url + type: + scalar: string + default: "" - name: com.github.openshift.api.config.v1.TLSSecurityProfile map: fields: @@ -3212,34 +3314,18 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: com.github.openshift.api.config.v1.VSpherePlatformSpec map: fields: - - name: apiServerInternalIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - name: failureDomains type: list: elementType: namedType: com.github.openshift.api.config.v1.VSpherePlatformFailureDomainSpec - elementRelationship: atomic - - name: ingressIPs - type: - list: - elementType: - scalar: string - elementRelationship: associative - - name: machineNetworks - type: - list: - elementType: - scalar: string elementRelationship: associative + keys: + - name - name: nodeNetworking type: namedType: com.github.openshift.api.config.v1.VSpherePlatformNodeNetworking @@ -3261,7 +3347,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: ingressIP type: scalar: string @@ -3270,18 +3356,12 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: loadBalancer type: namedType: com.github.openshift.api.config.v1.VSpherePlatformLoadBalancer default: type: OpenShiftManagedDefault - - name: machineNetworks - type: - list: - elementType: - scalar: string - elementRelationship: associative - name: nodeDNSIP type: scalar: string @@ -3323,7 +3403,7 @@ var schemaYAML = typed.YAMLObject(`types: list: elementType: scalar: string - elementRelationship: atomic + elementRelationship: associative - name: port type: scalar: numeric @@ -3378,6 +3458,51 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: __untyped_deduced_ elementRelationship: separable +- name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicy + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec + default: {} + - name: status + type: + namedType: com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus + default: {} +- name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec + map: + fields: + - name: policy + type: + namedType: com.github.openshift.api.config.v1alpha1.Policy + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus + map: + fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: com.github.openshift.api.config.v1alpha1.EtcdBackupSpec map: fields: @@ -3397,6 +3522,21 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor + map: + fields: + - name: fulcioCAData + type: + scalar: string + default: "" + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string + default: "" - name: com.github.openshift.api.config.v1alpha1.GatherConfig map: fields: @@ -3409,6 +3549,51 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic +- name: com.github.openshift.api.config.v1alpha1.ImagePolicy + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicySpec + default: {} + - name: status + type: + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyStatus + default: {} +- name: com.github.openshift.api.config.v1alpha1.ImagePolicySpec + map: + fields: + - name: policy + type: + namedType: com.github.openshift.api.config.v1alpha1.Policy + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyStatus + map: + fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: com.github.openshift.api.config.v1alpha1.InsightsDataGather map: fields: @@ -3449,6 +3634,96 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: __untyped_deduced_ elementRelationship: separable +- name: com.github.openshift.api.config.v1alpha1.Policy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity + default: {} +- name: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject + map: + fields: + - name: oidcIssuer + type: + scalar: string + default: "" + - name: signedEmail + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha1.PolicyIdentity + map: + fields: + - name: exactRepository + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository + - name: matchPolicy + type: + scalar: string + default: "" + - name: remapIdentity + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity + unions: + - discriminator: matchPolicy + fields: + - fieldName: exactRepository + discriminatorValue: PolicyMatchExactRepository + - fieldName: remapIdentity + discriminatorValue: PolicyMatchRemapIdentity +- name: com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository + map: + fields: + - name: repository + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity + map: + fields: + - name: prefix + type: + scalar: string + default: "" + - name: signedPrefix + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust + map: + fields: + - name: fulcioCAWithRekor + type: + namedType: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor + - name: policyType + type: + scalar: string + default: "" + - name: publicKey + type: + namedType: com.github.openshift.api.config.v1alpha1.PublicKey + unions: + - discriminator: policyType + fields: + - fieldName: fulcioCAWithRekor + discriminatorValue: FulcioCAWithRekor + - fieldName: publicKey + discriminatorValue: PublicKey +- name: com.github.openshift.api.config.v1alpha1.PublicKey + map: + fields: + - name: keyData + type: + scalar: string + default: "" + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go new file mode 100644 index 000000000..89ed7717e --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go @@ -0,0 +1,227 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + json "encoding/json" + "fmt" + "time" + + v1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ClusterImagePoliciesGetter has a method to return a ClusterImagePolicyInterface. +// A group's client should implement this interface. +type ClusterImagePoliciesGetter interface { + ClusterImagePolicies() ClusterImagePolicyInterface +} + +// ClusterImagePolicyInterface has methods to work with ClusterImagePolicy resources. +type ClusterImagePolicyInterface interface { + Create(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (*v1alpha1.ClusterImagePolicy, error) + Update(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error) + UpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ClusterImagePolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ClusterImagePolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error) + Apply(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) + ApplyStatus(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) + ClusterImagePolicyExpansion +} + +// clusterImagePolicies implements ClusterImagePolicyInterface +type clusterImagePolicies struct { + client rest.Interface +} + +// newClusterImagePolicies returns a ClusterImagePolicies +func newClusterImagePolicies(c *ConfigV1alpha1Client) *clusterImagePolicies { + return &clusterImagePolicies{ + client: c.RESTClient(), + } +} + +// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any. +func (c *clusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Get(). + Resource("clusterimagepolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors. +func (c *clusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterImagePolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.ClusterImagePolicyList{} + err = c.client.Get(). + Resource("clusterimagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested clusterImagePolicies. +func (c *clusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("clusterimagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any. +func (c *clusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Post(). + Resource("clusterimagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterImagePolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any. +func (c *clusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Put(). + Resource("clusterimagepolicies"). + Name(clusterImagePolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterImagePolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *clusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Put(). + Resource("clusterimagepolicies"). + Name(clusterImagePolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterImagePolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs. +func (c *clusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("clusterimagepolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *clusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("clusterimagepolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched clusterImagePolicy. +func (c *clusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error) { + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Patch(pt). + Resource("clusterimagepolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} + +// Apply takes the given apply declarative configuration, applies it and returns the applied clusterImagePolicy. +func (c *clusterImagePolicies) Apply(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + if clusterImagePolicy == nil { + return nil, fmt.Errorf("clusterImagePolicy provided to Apply must not be nil") + } + patchOpts := opts.ToPatchOptions() + data, err := json.Marshal(clusterImagePolicy) + if err != nil { + return nil, err + } + name := clusterImagePolicy.Name + if name == nil { + return nil, fmt.Errorf("clusterImagePolicy.Name must be provided to Apply") + } + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Patch(types.ApplyPatchType). + Resource("clusterimagepolicies"). + Name(*name). + VersionedParams(&patchOpts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} + +// ApplyStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). +func (c *clusterImagePolicies) ApplyStatus(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + if clusterImagePolicy == nil { + return nil, fmt.Errorf("clusterImagePolicy provided to Apply must not be nil") + } + patchOpts := opts.ToPatchOptions() + data, err := json.Marshal(clusterImagePolicy) + if err != nil { + return nil, err + } + + name := clusterImagePolicy.Name + if name == nil { + return nil, fmt.Errorf("clusterImagePolicy.Name must be provided to Apply") + } + + result = &v1alpha1.ClusterImagePolicy{} + err = c.client.Patch(types.ApplyPatchType). + Resource("clusterimagepolicies"). + Name(*name). + SubResource("status"). + VersionedParams(&patchOpts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go index fec88f0cc..cfbbd848b 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -13,6 +13,8 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface BackupsGetter + ClusterImagePoliciesGetter + ImagePoliciesGetter InsightsDataGathersGetter } @@ -25,6 +27,14 @@ func (c *ConfigV1alpha1Client) Backups() BackupInterface { return newBackups(c) } +func (c *ConfigV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface { + return newClusterImagePolicies(c) +} + +func (c *ConfigV1alpha1Client) ImagePolicies(namespace string) ImagePolicyInterface { + return newImagePolicies(c, namespace) +} + func (c *ConfigV1alpha1Client) InsightsDataGathers() InsightsDataGatherInterface { return newInsightsDataGathers(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clusterimagepolicy.go new file mode 100644 index 000000000..3e3853c90 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clusterimagepolicy.go @@ -0,0 +1,162 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + json "encoding/json" + "fmt" + + v1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeClusterImagePolicies implements ClusterImagePolicyInterface +type FakeClusterImagePolicies struct { + Fake *FakeConfigV1alpha1 +} + +var clusterimagepoliciesResource = v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies") + +var clusterimagepoliciesKind = v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy") + +// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any. +func (c *FakeClusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(clusterimagepoliciesResource, name), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors. +func (c *FakeClusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterImagePolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(clusterimagepoliciesResource, clusterimagepoliciesKind, opts), &v1alpha1.ClusterImagePolicyList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.ClusterImagePolicyList{ListMeta: obj.(*v1alpha1.ClusterImagePolicyList).ListMeta} + for _, item := range obj.(*v1alpha1.ClusterImagePolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested clusterImagePolicies. +func (c *FakeClusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(clusterimagepoliciesResource, opts)) +} + +// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any. +func (c *FakeClusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any. +func (c *FakeClusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeClusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(clusterimagepoliciesResource, "status", clusterImagePolicy), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs. +func (c *FakeClusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteActionWithOptions(clusterimagepoliciesResource, name, opts), &v1alpha1.ClusterImagePolicy{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeClusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(clusterimagepoliciesResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.ClusterImagePolicyList{}) + return err +} + +// Patch applies the patch and returns the patched clusterImagePolicy. +func (c *FakeClusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clusterimagepoliciesResource, name, pt, data, subresources...), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// Apply takes the given apply declarative configuration, applies it and returns the applied clusterImagePolicy. +func (c *FakeClusterImagePolicies) Apply(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + if clusterImagePolicy == nil { + return nil, fmt.Errorf("clusterImagePolicy provided to Apply must not be nil") + } + data, err := json.Marshal(clusterImagePolicy) + if err != nil { + return nil, err + } + name := clusterImagePolicy.Name + if name == nil { + return nil, fmt.Errorf("clusterImagePolicy.Name must be provided to Apply") + } + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clusterimagepoliciesResource, *name, types.ApplyPatchType, data), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} + +// ApplyStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). +func (c *FakeClusterImagePolicies) ApplyStatus(ctx context.Context, clusterImagePolicy *configv1alpha1.ClusterImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterImagePolicy, err error) { + if clusterImagePolicy == nil { + return nil, fmt.Errorf("clusterImagePolicy provided to Apply must not be nil") + } + data, err := json.Marshal(clusterImagePolicy) + if err != nil { + return nil, err + } + name := clusterImagePolicy.Name + if name == nil { + return nil, fmt.Errorf("clusterImagePolicy.Name must be provided to Apply") + } + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clusterimagepoliciesResource, *name, types.ApplyPatchType, data, "status"), &v1alpha1.ClusterImagePolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ClusterImagePolicy), err +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 2766bd4ed..c720aa837 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -16,6 +16,14 @@ func (c *FakeConfigV1alpha1) Backups() v1alpha1.BackupInterface { return &FakeBackups{c} } +func (c *FakeConfigV1alpha1) ClusterImagePolicies() v1alpha1.ClusterImagePolicyInterface { + return &FakeClusterImagePolicies{c} +} + +func (c *FakeConfigV1alpha1) ImagePolicies(namespace string) v1alpha1.ImagePolicyInterface { + return &FakeImagePolicies{c, namespace} +} + func (c *FakeConfigV1alpha1) InsightsDataGathers() v1alpha1.InsightsDataGatherInterface { return &FakeInsightsDataGathers{c} } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_imagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_imagepolicy.go new file mode 100644 index 000000000..7eb686af9 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_imagepolicy.go @@ -0,0 +1,173 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + json "encoding/json" + "fmt" + + v1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeImagePolicies implements ImagePolicyInterface +type FakeImagePolicies struct { + Fake *FakeConfigV1alpha1 + ns string +} + +var imagepoliciesResource = v1alpha1.SchemeGroupVersion.WithResource("imagepolicies") + +var imagepoliciesKind = v1alpha1.SchemeGroupVersion.WithKind("ImagePolicy") + +// Get takes name of the imagePolicy, and returns the corresponding imagePolicy object, and an error if there is any. +func (c *FakeImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(imagepoliciesResource, c.ns, name), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// List takes label and field selectors, and returns the list of ImagePolicies that match those selectors. +func (c *FakeImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ImagePolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(imagepoliciesResource, imagepoliciesKind, c.ns, opts), &v1alpha1.ImagePolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.ImagePolicyList{ListMeta: obj.(*v1alpha1.ImagePolicyList).ListMeta} + for _, item := range obj.(*v1alpha1.ImagePolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested imagePolicies. +func (c *FakeImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(imagepoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a imagePolicy and creates it. Returns the server's representation of the imagePolicy, and an error, if there is any. +func (c *FakeImagePolicies) Create(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(imagepoliciesResource, c.ns, imagePolicy), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// Update takes the representation of a imagePolicy and updates it. Returns the server's representation of the imagePolicy, and an error, if there is any. +func (c *FakeImagePolicies) Update(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(imagepoliciesResource, c.ns, imagePolicy), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeImagePolicies) UpdateStatus(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ImagePolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(imagepoliciesResource, "status", c.ns, imagePolicy), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// Delete takes name of the imagePolicy and deletes it. Returns an error if one occurs. +func (c *FakeImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(imagepoliciesResource, c.ns, name, opts), &v1alpha1.ImagePolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(imagepoliciesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.ImagePolicyList{}) + return err +} + +// Patch applies the patch and returns the patched imagePolicy. +func (c *FakeImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ImagePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(imagepoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// Apply takes the given apply declarative configuration, applies it and returns the applied imagePolicy. +func (c *FakeImagePolicies) Apply(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) { + if imagePolicy == nil { + return nil, fmt.Errorf("imagePolicy provided to Apply must not be nil") + } + data, err := json.Marshal(imagePolicy) + if err != nil { + return nil, err + } + name := imagePolicy.Name + if name == nil { + return nil, fmt.Errorf("imagePolicy.Name must be provided to Apply") + } + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(imagepoliciesResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} + +// ApplyStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). +func (c *FakeImagePolicies) ApplyStatus(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) { + if imagePolicy == nil { + return nil, fmt.Errorf("imagePolicy provided to Apply must not be nil") + } + data, err := json.Marshal(imagePolicy) + if err != nil { + return nil, err + } + name := imagePolicy.Name + if name == nil { + return nil, fmt.Errorf("imagePolicy.Name must be provided to Apply") + } + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(imagepoliciesResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha1.ImagePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ImagePolicy), err +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index e19b64b19..3a69741b1 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -4,4 +4,8 @@ package v1alpha1 type BackupExpansion interface{} +type ClusterImagePolicyExpansion interface{} + +type ImagePolicyExpansion interface{} + type InsightsDataGatherExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go new file mode 100644 index 000000000..a67969cf3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go @@ -0,0 +1,240 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + json "encoding/json" + "fmt" + "time" + + v1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ImagePoliciesGetter has a method to return a ImagePolicyInterface. +// A group's client should implement this interface. +type ImagePoliciesGetter interface { + ImagePolicies(namespace string) ImagePolicyInterface +} + +// ImagePolicyInterface has methods to work with ImagePolicy resources. +type ImagePolicyInterface interface { + Create(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.CreateOptions) (*v1alpha1.ImagePolicy, error) + Update(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ImagePolicy, error) + UpdateStatus(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ImagePolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ImagePolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ImagePolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ImagePolicy, err error) + Apply(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) + ApplyStatus(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) + ImagePolicyExpansion +} + +// imagePolicies implements ImagePolicyInterface +type imagePolicies struct { + client rest.Interface + ns string +} + +// newImagePolicies returns a ImagePolicies +func newImagePolicies(c *ConfigV1alpha1Client, namespace string) *imagePolicies { + return &imagePolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the imagePolicy, and returns the corresponding imagePolicy object, and an error if there is any. +func (c *imagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ImagePolicy, err error) { + result = &v1alpha1.ImagePolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("imagepolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ImagePolicies that match those selectors. +func (c *imagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ImagePolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.ImagePolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("imagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested imagePolicies. +func (c *imagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("imagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a imagePolicy and creates it. Returns the server's representation of the imagePolicy, and an error, if there is any. +func (c *imagePolicies) Create(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ImagePolicy, err error) { + result = &v1alpha1.ImagePolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("imagepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(imagePolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a imagePolicy and updates it. Returns the server's representation of the imagePolicy, and an error, if there is any. +func (c *imagePolicies) Update(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ImagePolicy, err error) { + result = &v1alpha1.ImagePolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("imagepolicies"). + Name(imagePolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(imagePolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *imagePolicies) UpdateStatus(ctx context.Context, imagePolicy *v1alpha1.ImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ImagePolicy, err error) { + result = &v1alpha1.ImagePolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("imagepolicies"). + Name(imagePolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(imagePolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the imagePolicy and deletes it. Returns an error if one occurs. +func (c *imagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("imagepolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *imagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("imagepolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched imagePolicy. +func (c *imagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ImagePolicy, err error) { + result = &v1alpha1.ImagePolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("imagepolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} + +// Apply takes the given apply declarative configuration, applies it and returns the applied imagePolicy. +func (c *imagePolicies) Apply(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) { + if imagePolicy == nil { + return nil, fmt.Errorf("imagePolicy provided to Apply must not be nil") + } + patchOpts := opts.ToPatchOptions() + data, err := json.Marshal(imagePolicy) + if err != nil { + return nil, err + } + name := imagePolicy.Name + if name == nil { + return nil, fmt.Errorf("imagePolicy.Name must be provided to Apply") + } + result = &v1alpha1.ImagePolicy{} + err = c.client.Patch(types.ApplyPatchType). + Namespace(c.ns). + Resource("imagepolicies"). + Name(*name). + VersionedParams(&patchOpts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} + +// ApplyStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). +func (c *imagePolicies) ApplyStatus(ctx context.Context, imagePolicy *configv1alpha1.ImagePolicyApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ImagePolicy, err error) { + if imagePolicy == nil { + return nil, fmt.Errorf("imagePolicy provided to Apply must not be nil") + } + patchOpts := opts.ToPatchOptions() + data, err := json.Marshal(imagePolicy) + if err != nil { + return nil, err + } + + name := imagePolicy.Name + if name == nil { + return nil, fmt.Errorf("imagePolicy.Name must be provided to Apply") + } + + result = &v1alpha1.ImagePolicy{} + err = c.client.Patch(types.ApplyPatchType). + Namespace(c.ns). + Resource("imagepolicies"). + Name(*name). + SubResource("status"). + VersionedParams(&patchOpts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go new file mode 100644 index 000000000..2e71741a7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go @@ -0,0 +1,73 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterImagePolicyInformer provides access to a shared informer and lister for +// ClusterImagePolicies. +type ClusterImagePolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.ClusterImagePolicyLister +} + +type clusterImagePolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterImagePolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().ClusterImagePolicies().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().ClusterImagePolicies().Watch(context.TODO(), options) + }, + }, + &configv1alpha1.ClusterImagePolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterImagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterImagePolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&configv1alpha1.ClusterImagePolicy{}, f.defaultInformer) +} + +func (f *clusterImagePolicyInformer) Lister() v1alpha1.ClusterImagePolicyLister { + return v1alpha1.NewClusterImagePolicyLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go new file mode 100644 index 000000000..ba72caedf --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go @@ -0,0 +1,74 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ImagePolicyInformer provides access to a shared informer and lister for +// ImagePolicies. +type ImagePolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.ImagePolicyLister +} + +type imagePolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewImagePolicyInformer constructs a new informer for ImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredImagePolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredImagePolicyInformer constructs a new informer for ImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().ImagePolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().ImagePolicies(namespace).Watch(context.TODO(), options) + }, + }, + &configv1alpha1.ImagePolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *imagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredImagePolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *imagePolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&configv1alpha1.ImagePolicy{}, f.defaultInformer) +} + +func (f *imagePolicyInformer) Lister() v1alpha1.ImagePolicyLister { + return v1alpha1.NewImagePolicyLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go index be11ab220..69b5569fa 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go @@ -10,6 +10,10 @@ import ( type Interface interface { // Backups returns a BackupInformer. Backups() BackupInformer + // ClusterImagePolicies returns a ClusterImagePolicyInformer. + ClusterImagePolicies() ClusterImagePolicyInformer + // ImagePolicies returns a ImagePolicyInformer. + ImagePolicies() ImagePolicyInformer // InsightsDataGathers returns a InsightsDataGatherInformer. InsightsDataGathers() InsightsDataGatherInformer } @@ -30,6 +34,16 @@ func (v *version) Backups() BackupInformer { return &backupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ClusterImagePolicies returns a ClusterImagePolicyInformer. +func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer { + return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + +// ImagePolicies returns a ImagePolicyInformer. +func (v *version) ImagePolicies() ImagePolicyInformer { + return &imagePolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // InsightsDataGathers returns a InsightsDataGatherInformer. func (v *version) InsightsDataGathers() InsightsDataGatherInformer { return &insightsDataGatherInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index dd8680402..20b3b4e60 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -84,6 +84,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.openshift.io, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("backups"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().Backups().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ClusterImagePolicies().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("imagepolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ImagePolicies().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("insightsdatagathers"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().InsightsDataGathers().Informer()}, nil diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go new file mode 100644 index 000000000..80fe45e1e --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go @@ -0,0 +1,52 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ClusterImagePolicyLister helps list ClusterImagePolicies. +// All objects returned here must be treated as read-only. +type ClusterImagePolicyLister interface { + // List lists all ClusterImagePolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.ClusterImagePolicy, err error) + // Get retrieves the ClusterImagePolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.ClusterImagePolicy, error) + ClusterImagePolicyListerExpansion +} + +// clusterImagePolicyLister implements the ClusterImagePolicyLister interface. +type clusterImagePolicyLister struct { + indexer cache.Indexer +} + +// NewClusterImagePolicyLister returns a new ClusterImagePolicyLister. +func NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePolicyLister { + return &clusterImagePolicyLister{indexer: indexer} +} + +// List lists all ClusterImagePolicies in the indexer. +func (s *clusterImagePolicyLister) List(selector labels.Selector) (ret []*v1alpha1.ClusterImagePolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.ClusterImagePolicy)) + }) + return ret, err +} + +// Get retrieves the ClusterImagePolicy from the index for a given name. +func (s *clusterImagePolicyLister) Get(name string) (*v1alpha1.ClusterImagePolicy, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("clusterimagepolicy"), name) + } + return obj.(*v1alpha1.ClusterImagePolicy), nil +} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go index d8c8960f1..97e64a7cc 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go @@ -6,6 +6,18 @@ package v1alpha1 // BackupLister. type BackupListerExpansion interface{} +// ClusterImagePolicyListerExpansion allows custom methods to be added to +// ClusterImagePolicyLister. +type ClusterImagePolicyListerExpansion interface{} + +// ImagePolicyListerExpansion allows custom methods to be added to +// ImagePolicyLister. +type ImagePolicyListerExpansion interface{} + +// ImagePolicyNamespaceListerExpansion allows custom methods to be added to +// ImagePolicyNamespaceLister. +type ImagePolicyNamespaceListerExpansion interface{} + // InsightsDataGatherListerExpansion allows custom methods to be added to // InsightsDataGatherLister. type InsightsDataGatherListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go new file mode 100644 index 000000000..4071711ab --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go @@ -0,0 +1,83 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/openshift/api/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ImagePolicyLister helps list ImagePolicies. +// All objects returned here must be treated as read-only. +type ImagePolicyLister interface { + // List lists all ImagePolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.ImagePolicy, err error) + // ImagePolicies returns an object that can list and get ImagePolicies. + ImagePolicies(namespace string) ImagePolicyNamespaceLister + ImagePolicyListerExpansion +} + +// imagePolicyLister implements the ImagePolicyLister interface. +type imagePolicyLister struct { + indexer cache.Indexer +} + +// NewImagePolicyLister returns a new ImagePolicyLister. +func NewImagePolicyLister(indexer cache.Indexer) ImagePolicyLister { + return &imagePolicyLister{indexer: indexer} +} + +// List lists all ImagePolicies in the indexer. +func (s *imagePolicyLister) List(selector labels.Selector) (ret []*v1alpha1.ImagePolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.ImagePolicy)) + }) + return ret, err +} + +// ImagePolicies returns an object that can list and get ImagePolicies. +func (s *imagePolicyLister) ImagePolicies(namespace string) ImagePolicyNamespaceLister { + return imagePolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// ImagePolicyNamespaceLister helps list and get ImagePolicies. +// All objects returned here must be treated as read-only. +type ImagePolicyNamespaceLister interface { + // List lists all ImagePolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.ImagePolicy, err error) + // Get retrieves the ImagePolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.ImagePolicy, error) + ImagePolicyNamespaceListerExpansion +} + +// imagePolicyNamespaceLister implements the ImagePolicyNamespaceLister +// interface. +type imagePolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all ImagePolicies in the indexer for a given namespace. +func (s imagePolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.ImagePolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.ImagePolicy)) + }) + return ret, err +} + +// Get retrieves the ImagePolicy from the indexer for a given namespace and name. +func (s imagePolicyNamespaceLister) Get(name string) (*v1alpha1.ImagePolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("imagepolicy"), name) + } + return obj.(*v1alpha1.ImagePolicy), nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index b14bada5e..ec489ab57 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -160,7 +160,7 @@ github.com/modern-go/reflect2 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 ## explicit github.com/munnerz/goautoneg -# github.com/openshift/api v0.0.0-20231128213045-03f577bfbd59 +# github.com/openshift/api v0.0.0-20231212152002-ef62af078a93 ## explicit; go 1.20 github.com/openshift/api github.com/openshift/api/apiserver @@ -242,7 +242,7 @@ github.com/openshift/build-machinery-go/make/targets/golang github.com/openshift/build-machinery-go/make/targets/openshift github.com/openshift/build-machinery-go/make/targets/openshift/operator github.com/openshift/build-machinery-go/scripts -# github.com/openshift/client-go v0.0.0-20231121143148-910ca30a1a9a +# github.com/openshift/client-go v0.0.0-20231212205830-0ab0864ec8c2 ## explicit; go 1.20 github.com/openshift/client-go/config/applyconfigurations/config/v1 github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1