diff --git a/go.mod b/go.mod index 6b16115e5..9879332ba 100644 --- a/go.mod +++ b/go.mod @@ -142,6 +142,6 @@ require ( // github.com/operator-framework/operator-sdk. replace ( bitbucket.org/ww/goautoneg => github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d - github.com/openshift/api => github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17 + github.com/openshift/api => github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af k8s.io/client-go => k8s.io/client-go v0.27.2 ) diff --git a/go.sum b/go.sum index 068ed4bfc..d02c5f0ee 100644 --- a/go.sum +++ b/go.sum @@ -414,7 +414,6 @@ github.com/go-openapi/jsonpointer v0.17.2/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= @@ -423,7 +422,6 @@ github.com/go-openapi/jsonreference v0.17.2/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3Hfo github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= @@ -456,7 +454,6 @@ github.com/go-openapi/swag v0.17.2/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/ github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/validate v0.17.2/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= @@ -833,7 +830,6 @@ github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/maistra/istio-operator v0.0.0-20230322122339-793794762e67 h1:MKacYZbpog8jM+uN3/TQS/FUO+Emz/qdAhma63x1pCk= @@ -965,7 +961,6 @@ github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9 github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo= github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= -github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= github.com/onsi/gomega v1.26.0/go.mod h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM= @@ -987,8 +982,8 @@ github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.m github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= -github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17 h1:7OulZncUKirgo9KhoJGmD4kbZ0YfXcChdDJeI0262pg= -github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= +github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af h1:d31ErBNJPDZkZcUjex+QiTKJLLyMcIhHUkER7CcURwU= +github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af/go.mod h1:4VWG+W22wrB4HfBL88P40DxLEpSOaiBVxUnfalfJo9k= github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc= github.com/openshift/client-go v0.0.0-20200116152001-92a2713fa240/go.mod h1:4riOwdj99Hd/q+iAcJZfNCsQQQMwURnZV6RL4WHYS5w= github.com/openshift/client-go v0.0.0-20230120202327-72f107311084 h1:66uaqNwA+qYyQDwsMWUfjjau8ezmg1dzCqub13KZOcE= @@ -1435,7 +1430,6 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= @@ -1966,7 +1960,7 @@ k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA= k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI= k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= -k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg= +k8s.io/api v0.27.1/go.mod h1:z5g/BpAiD+f6AArpqNjkY+cji8ueZDU/WV1jcj5Jk4E= k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo= k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4= k8s.io/apiextensions-apiserver v0.0.0-20190918161926-8f644eb6e783/go.mod h1:xvae1SZB3E17UpV59AWc271W/Ph25N+bjPyR63X6tPY= @@ -1994,7 +1988,7 @@ k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftc k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= -k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apimachinery v0.27.1/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM= k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg= k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg= @@ -2066,7 +2060,7 @@ k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKf k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a/go.mod h1:y5VtZWM9sHHc2ZodIH/6SHzXj+TPU5USoA8lcIeKEKY= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/kube-state-metrics v1.7.2/go.mod h1:U2Y6DRi07sS85rmVPmBFlmv+2peBcL8IWGjM+IjYA/E= @@ -2085,7 +2079,6 @@ k8s.io/utils v0.0.0-20200229041039-0a110f9eb7ab/go.mod h1:sZAwmy6armz5eXlNoLmJcl k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= maistra.io/api v0.0.0-20210601141927-1cbee4cb8ce8/go.mod h1:Os/zrIv6nsjgC43UAo17FFv+fvYlzANUWIpNNZEZ/KE= @@ -2109,7 +2102,6 @@ sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WG sigs.k8s.io/controller-tools v0.4.1/go.mod h1:G9rHdZMVlBDocIxGkK3jHLWqcTMNvveypYJwrvYKjWU= sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203 h1:t53lCjyZa7bsj1vZbAboYAH0p0OpqdGpGeM30IZIew8= sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kube-storage-version-migrator v0.0.4 h1:qsCecgZHgdismlTt8xCmS/3numvpxrj58RWJeIg76wc= diff --git a/manifests/00-ingress-credentials-request.yaml b/manifests/00-ingress-credentials-request.yaml index 09cab4c77..7878da40c 100644 --- a/manifests/00-ingress-credentials-request.yaml +++ b/manifests/00-ingress-credentials-request.yaml @@ -26,6 +26,7 @@ spec: - route53:ListTagsForResources - route53:ChangeResourceRecordSets - tag:GetResources + - sts:AssumeRole resource: "*" --- apiVersion: cloudcredential.openshift.io/v1 diff --git a/pkg/dns/aws/dns.go b/pkg/dns/aws/dns.go index 5d321e007..2b6864496 100644 --- a/pkg/dns/aws/dns.go +++ b/pkg/dns/aws/dns.go @@ -16,6 +16,7 @@ import ( "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" @@ -93,6 +94,9 @@ type Config struct { // that is used by SDK to configure the credentials. SharedCredentialFile string + // RoleARN is an optional ARN to use for the AWS client session. + RoleARN string + // Region is the AWS region ELBs are created in. Region string // ServiceEndpoints is the list of AWS API endpoints to use for @@ -140,6 +144,9 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error Name: "openshift.io/ingress-operator", Fn: request.MakeAddToUserAgentHandler("openshift.io ingress-operator", operatorReleaseVersion), }) + if config.RoleARN != "" { + sess.Config.WithCredentials(stscreds.NewCredentials(sess, config.RoleARN)) + } if len(region) == 0 { if sess.Config.Region != nil { diff --git a/pkg/dns/split/dns.go b/pkg/dns/split/dns.go new file mode 100644 index 000000000..c055c43f1 --- /dev/null +++ b/pkg/dns/split/dns.go @@ -0,0 +1,58 @@ +package split + +import ( + "reflect" + + iov1 "github.com/openshift/api/operatoringress/v1" + "github.com/openshift/cluster-ingress-operator/pkg/dns" + logf "github.com/openshift/cluster-ingress-operator/pkg/log" + + configv1 "github.com/openshift/api/config/v1" +) + +var ( + _ dns.Provider = &Provider{} + log = logf.Logger.WithName("dns") +) + +// Provider is a dns.Provider that wraps two other providers. The first +// provider is used for public hosted zones, and the second provider is used for +// private hosted zones. +type Provider struct { + private, public dns.Provider + privateZone *configv1.DNSZone +} + +// NewProvider returns a new Provider that wraps the provided wrappers, using +// the first for the public zone and the second for the private zone. +func NewProvider(public, private dns.Provider, privateZone *configv1.DNSZone) *Provider { + return &Provider{ + public: public, + private: private, + privateZone: privateZone, + } +} + +// Ensure calls the Ensure method of one of the wrapped DNS providers. +func (p *Provider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Ensure(record, zone) + } + return p.public.Ensure(record, zone) +} + +// Delete calls the Delete method of one of the wrapped DNS providers. +func (p *Provider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Delete(record, zone) + } + return p.public.Delete(record, zone) +} + +// Replace calls the Replace method of one of the wrapped DNS providers. +func (p *Provider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Replace(record, zone) + } + return p.public.Replace(record, zone) +} diff --git a/pkg/dns/split/dns_test.go b/pkg/dns/split/dns_test.go new file mode 100644 index 000000000..f2a669f83 --- /dev/null +++ b/pkg/dns/split/dns_test.go @@ -0,0 +1,126 @@ +package split_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + configv1 "github.com/openshift/api/config/v1" + iov1 "github.com/openshift/api/operatoringress/v1" + + "github.com/openshift/cluster-ingress-operator/pkg/dns" + splitdns "github.com/openshift/cluster-ingress-operator/pkg/dns/split" +) + +// TestSplitDNSProvider verifies that the split DNS provider dispatches to the +// public or private provider as appropriate for the DNS zone. +func TestSplitDNSProvider(t *testing.T) { + var ( + // ch is a channel that is used in the fake public and private + // providers to record which one is called. + ch = make(chan string, 6) + // getResult reads and returns one item from ch, or returns the + // empty string if ch is empty. + getResult = func() string { + var result string + select { + case result = <-ch: + default: + } + return result + } + // publicProvider is a fake dns.Provider for the public zone. + publicProvider = newFakeProvider("public", ch) + // privateProvider is a fake dns.Provider for the private zone. + privateProvider = newFakeProvider("private", ch) + // publicZoneWithID is a public zone that is defined by ID. + publicZoneWithID = configv1.DNSZone{ID: "public_zone"} + // privateZoneWithID is a private zone that is defined by ID. + privateZoneWithID = configv1.DNSZone{ID: "private_zone"} + // publicZoneWithTags is a public zone that is defined by tags. + publicZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "public"}} + // privateZoneWithID is a private zone that is defined by tags. + privateZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "private"}} + ) + testCases := []struct { + name string + publicZone configv1.DNSZone + privateZone configv1.DNSZone + publishToZone configv1.DNSZone + expect string + }{ + { + name: "publish to public zone specified by id", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: publicZoneWithID, + expect: "public", + }, + { + name: "publish to private zone specified by id", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: privateZoneWithID, + expect: "private", + }, + { + name: "publish to public zone specified by tags", + publicZone: publicZoneWithTags, + privateZone: privateZoneWithID, + publishToZone: publicZoneWithTags, + expect: "public", + }, + { + name: "publish to private zone specified by tags", + publicZone: publicZoneWithTags, + privateZone: privateZoneWithTags, + publishToZone: privateZoneWithTags, + expect: "private", + }, + { + name: "publish to other zone should fall back to the public zone", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: configv1.DNSZone{ID: "other_zone"}, + expect: "public", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + provider := splitdns.NewProvider(publicProvider, privateProvider, &tc.privateZone) + assert.NoError(t, provider.Ensure(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.NoError(t, provider.Replace(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.NoError(t, provider.Delete(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.Empty(t, ch) + }) + } + +} + +var _ dns.Provider = &fakeProvider{} + +type fakeProvider struct { + name string + recorder chan string +} + +func (p *fakeProvider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} +func (p *fakeProvider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} +func (p *fakeProvider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} + +// newFakeProvider returns a new dns.Provider that records invocations. +func newFakeProvider(name string, ch chan string) dns.Provider { + return &fakeProvider{name, ch} +} diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go index 03679de9d..654e02d1b 100644 --- a/pkg/manifests/bindata.go +++ b/pkg/manifests/bindata.go @@ -22,7 +22,7 @@ // manifests/00-cluster-role.yaml (3.661kB) // manifests/00-custom-resource-definition-internal.yaml (7.756kB) // manifests/00-custom-resource-definition.yaml (105.24kB) -// manifests/00-ingress-credentials-request.yaml (4.905kB) +// manifests/00-ingress-credentials-request.yaml (4.928kB) // manifests/00-namespace.yaml (508B) // manifests/0000_90_ingress-operator_00_prometheusrole.yaml (446B) // manifests/0000_90_ingress-operator_01_prometheusrolebinding.yaml (514B) @@ -546,7 +546,7 @@ func manifests00CustomResourceDefinitionYaml() (*asset, error) { return a, nil } -var _manifests00IngressCredentialsRequestYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\xdf\x6f\xdb\x36\x10\x7e\xf7\x5f\x41\xe8\xa5\x40\x01\xba\x0b\x86\x01\x03\xdf\x1c\x67\xeb\x06\xb4\x43\xe1\x6c\x2d\xb0\xb7\x13\x79\x56\x0e\xa5\x8e\x1a\x8f\x52\xb7\xfe\xf5\x03\x2d\x45\xb6\x2b\xcd\x59\x7e\x74\x08\xb2\xbc\x45\xbc\xef\xa8\xbb\xef\xbe\x2f\xf2\x41\x43\xef\x31\x0a\x05\x36\xca\xfa\xd0\x3a\x1b\xd1\x21\x27\x02\xbf\x0c\x0d\xb2\x5c\xd1\x36\x2d\x29\xbc\xea\xce\x16\x1f\x89\x9d\x51\xeb\x11\x20\x1b\xfc\xa3\x45\x49\x8b\x1a\x13\x38\x48\x60\x16\x4a\x79\x28\xd1\x4b\xfe\x4b\x29\x1b\x38\xc5\xe0\x3d\x46\x9d\x42\xf0\xb2\xfc\xf8\xbd\x2c\x29\x18\x55\x9c\x2d\xbf\x29\x16\x4a\x31\xd4\x68\xd4\xf8\x1e\x4d\x5c\x45\x14\x19\x22\xd2\x80\x3d\x0a\xef\x0a\xd4\xfb\x0a\x75\x68\x30\x42\x0a\x71\xa1\x14\x30\x87\x04\x89\x02\x0f\x2f\x27\xb6\xbe\x75\xb8\x8c\xe8\x11\x04\x8f\xbb\xa1\xb2\x1e\x6e\xab\x81\xa1\x42\x67\x54\x91\x62\x8b\xc5\xcd\xa9\x82\x7e\x7b\x9d\xa5\xaf\xa8\xba\xd2\xd0\x01\x79\x28\xc9\x53\xfa\xeb\x16\xf7\x10\x57\x1e\x35\x07\x87\xda\x61\x87\x3e\x37\x33\xa6\x4b\x83\x36\xf7\x21\x18\x3b\xb2\xb8\xb2\x36\xb4\x9c\x7e\xc9\xac\xe4\x63\xad\x06\xaa\x0e\x29\x10\xb4\x11\xd3\x06\xb7\x3d\x01\x3d\xb9\x5f\x72\x26\x63\x6c\x42\xef\xcc\x95\x4d\x0c\x1d\x39\x8c\x97\x43\x39\x4a\xdd\x46\x30\x19\xdf\x8b\x66\xf5\xe1\xf2\xdd\xc1\x55\xbb\x88\x24\x48\x58\x23\xa7\x1f\x38\x45\xc2\x61\x6c\x5a\xe1\x76\x8b\x36\x19\xb5\xf2\x3e\x7c\xda\x9d\x29\x05\x36\x4f\xd6\x0c\x4f\x5a\xa1\x07\x49\x64\x7d\x00\x57\x82\x07\xb6\xc4\x95\xb9\x40\xb1\x91\x4a\x7c\x13\xc0\x9d\xef\x4e\x31\xca\x98\x12\x43\x9b\xf0\xbb\x6f\xcd\x1b\x92\xf4\x53\x90\x84\xee\xf7\xc0\x38\x1f\xff\x15\x2a\xf9\x31\xc4\x0d\x4a\x68\xa3\x9d\x01\xad\xaf\x80\x2b\xbc\x8e\x6f\xd0\x86\xe8\x2e\x31\xed\x81\x09\x2a\xf3\x3a\x0f\xe3\xf8\x86\x38\x3c\x1b\x55\xbc\x2c\x16\x5a\xeb\xc5\xa3\x34\xa0\x86\xcf\x6d\xc4\x67\x1b\x3e\x39\x1b\xe6\xb1\x4e\x8c\x18\x83\xc7\x73\x62\x47\x5c\x8d\x26\xcc\x67\x46\xad\xb3\x7e\xa8\x6c\x73\x15\x8f\x57\xac\x95\x6d\x9e\xa5\xfa\xd4\xa4\xfa\x7a\xfd\x6e\x22\xd4\x26\x27\x6e\x89\xd1\x6d\x82\xc7\x23\xad\xca\x2b\xc7\xb2\x04\x57\x13\x7f\x1d\xa5\xfe\x93\xf8\xa8\xac\x77\xf7\xdf\x5e\x81\xd7\x03\x7b\x28\xc6\x7e\x3e\x7f\xbb\xce\xe0\x29\x6d\xc1\x93\xa5\x2f\xf8\xda\x7f\x4b\x0b\x1b\xd9\x74\x67\xa6\xf4\x2d\xd6\xf4\xa7\x69\xda\xd2\x93\x35\x04\xb5\x31\xc6\x0c\x72\xca\x84\x9b\xb7\x3b\x0d\xc7\xe2\x0e\xa9\x1b\x04\x77\xb7\xcc\x0f\x91\xd2\x3e\x13\x52\xff\x0f\xe9\xb0\x81\x7e\x34\xc5\x90\x94\x15\x7f\x8d\x56\xaa\x03\xdf\xe6\x20\x71\xc2\xc8\x98\xb4\x74\x56\x8a\xff\x31\x11\x8e\x65\xe4\xe0\xc1\xed\xff\x9f\x3a\xaf\x09\x9f\x30\x76\x77\x58\x16\xbe\x9a\xf1\x72\x41\xef\xa7\x3f\x74\x8f\xfd\x37\x11\xde\x3d\xc5\x77\x3f\x01\xde\x4f\x84\x73\x32\xbc\x59\x8a\x37\xf8\xf2\x99\xa0\xa7\xe9\x57\xf0\x54\x42\x09\x27\xbf\x96\x93\x0a\x1f\xda\xab\xab\xbe\x88\xf9\x0f\xe5\xfc\x46\x9a\xa7\x75\xbc\x7f\x0e\x67\x9e\x1c\x8b\x59\x39\x77\x11\x6a\x20\xee\xb7\xc0\x39\xc8\x6f\x8d\x83\x84\x37\xa1\x2e\xd0\xe3\xbf\x41\xf5\x4b\xee\x21\x4e\x46\xe0\xdc\xee\x7c\xb8\x75\xbe\x78\xf9\xe2\x64\x4f\x4d\x97\x3e\xe7\x8e\xf2\x6a\x3c\x53\xc3\x2e\xdc\x77\x73\x0a\xd1\x77\x72\x1a\xd1\x77\xb1\xc7\xc8\x69\x90\x9c\x6c\x66\xda\xf8\x83\x5b\xe5\xef\x00\x00\x00\xff\xff\xa9\x69\xe0\x68\x29\x13\x00\x00") +var _manifests00IngressCredentialsRequestYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\x4d\x6f\xdc\x46\x0c\xbd\xef\xaf\x18\xe8\x12\x20\x80\x36\x35\x8a\x02\xc5\xdc\xd6\xeb\x36\x2d\x90\x14\xc1\xba\x4d\x80\xde\xa8\x19\xae\x4c\x64\xc4\x51\x87\x94\xd2\xe6\xd7\x17\xb3\x92\xf7\xc3\xab\xae\xeb\x8f\x14\x81\xeb\x9b\x3d\x7c\x1c\x91\x8f\xef\x49\x4b\x68\xe9\x3d\x26\xa1\xc8\xd6\xb8\x10\x3b\xef\x12\x7a\x64\x25\x08\xf3\xd8\x22\xcb\x15\xad\x75\x4e\xf1\x55\x7f\x36\xfb\x48\xec\xad\x59\x6e\x01\xb2\xc2\x3f\x3a\x14\x9d\x35\xa8\xe0\x41\xc1\xce\x8c\x09\x50\x61\x90\xfc\x97\x31\x2e\xb2\xa6\x18\x02\xa6\x52\x63\x0c\x32\xff\xf8\xbd\xcc\x29\x5a\x53\x9c\xcd\xbf\x29\x66\xc6\x30\x34\x68\xcd\xf6\x39\x25\x71\x9d\x50\x64\x8c\x48\x0b\xee\x20\xbc\x29\xb0\xdc\x55\x58\xc6\x16\x13\x68\x4c\x33\x63\x80\x39\x2a\x28\x45\x1e\x1f\x4e\xec\x42\xe7\x71\x9e\x30\x20\x08\x1e\x76\x43\x55\x33\xde\xd6\x00\x43\x8d\xde\x9a\x42\x53\x87\xc5\xed\xa9\x82\x61\x7d\x9d\x55\x5e\x51\x7d\x55\x42\x0f\x14\xa0\xa2\x40\xfa\xd7\x1d\xee\x21\xae\x03\x96\x1c\x3d\x96\x1e\x7b\x0c\xb9\x99\x6d\xba\xb4\xe8\x72\x1f\x82\xa9\x27\x87\x0b\xe7\x62\xc7\xfa\x4b\x66\x25\x1f\x97\x66\xa4\x6a\x9f\x02\x41\x97\x50\x57\xb8\x1e\x08\x18\xc8\xbd\xc9\x99\x6c\x63\x47\xf4\x4e\x5c\xd9\xa6\xd8\x93\xc7\x74\x39\x96\x63\xcc\x5d\x04\x93\xf1\x83\x68\x16\x1f\x2e\xdf\xed\x5d\xb5\x89\x88\x82\x62\x83\xac\x3f\xb0\x26\xc2\x71\x6c\xa5\xc1\xf5\x1a\x9d\x5a\xb3\x08\x21\x7e\xda\x9c\x19\x03\x2e\x4f\xd6\x8e\xff\x95\x06\x03\x88\x92\x0b\x11\x7c\x05\x01\xd8\x11\xd7\xf6\x02\xc5\x25\xaa\xf0\x4d\x04\x7f\xbe\x39\xc5\x24\xdb\x94\x14\x3b\xc5\xef\xbe\xb5\x6f\x48\xf4\xa7\x28\x8a\xfe\xf7\xc8\x38\x1d\xff\x15\x6a\xf9\x31\xa6\x15\x4a\xec\x92\x9b\x00\x2d\xaf\x80\x6b\xbc\x8e\xaf\xd0\xc5\xe4\x2f\x51\x77\x40\x85\xda\xbe\xce\xc3\xb8\x79\x83\xa8\xd8\x85\x48\xd7\xe0\x2a\x06\x1c\x8f\xd3\x08\xb3\xa6\x78\x59\xcc\xca\xb2\x9c\x7d\x95\xbe\x2c\xe1\x73\x97\xf0\xd9\x9d\x4f\xce\x9d\x79\xac\x47\xfe\x4c\x31\xe0\x39\xb1\x27\xae\xb7\xde\xcc\x67\xd6\x2c\xb3\x7e\xa8\xea\x72\x15\x5f\xaf\x58\x6b\xd7\x3e\x4b\xf5\xa9\x49\xf5\xf5\xf2\xdd\x91\x50\xdb\x9c\xb8\x26\x46\x9f\x5f\xa9\x07\x5a\x95\x57\x9e\x65\x0e\xbe\x21\xfe\x32\x4a\xfd\x27\xf1\x51\xd5\x6c\xee\xbf\xbb\x02\xaf\x07\xf6\x58\x8c\xfd\x7c\xfe\x76\x99\xc1\xc7\xb4\xc5\x40\x8e\x6e\xf0\xb5\xfb\xc4\x16\x2e\xb1\xed\xcf\x6c\x15\x3a\x6c\xe8\x4f\xdb\x76\x55\x20\x67\x09\x1a\x6b\xad\x1d\xe5\x94\x09\xb7\x6f\x37\x1a\x4e\xc5\x3d\x52\x57\x08\xfe\x7e\x99\x1f\x12\xe9\x2e\x13\x74\x78\x21\xed\x37\x30\x8c\xa6\x18\x93\xb2\xe2\xaf\xd1\xc6\xf4\x10\xba\x1c\x24\x56\x4c\x8c\x5a\x4a\xef\xa4\xf8\x1f\x13\xe1\x59\xb6\x1c\x3c\xba\xfd\xff\x53\xe7\xb5\xf1\x13\xa6\xfe\x1e\x3b\xc4\x17\x33\x5e\x2e\xe8\xfd\xf1\xef\xdf\x43\xff\x1d\x09\xef\x81\xe2\x7b\x98\x00\x1f\x26\xc2\x29\x19\xde\x2e\xc5\x5b\x7c\xf9\x4c\xd0\xd3\xf4\x2b\x04\xaa\xa0\x82\x93\x5f\xcb\xa3\x0a\x1f\xdb\xab\x8b\xa1\x88\xe9\x0f\xe5\xf4\xa2\x9a\xa7\x75\xb8\x96\x8e\x67\x81\x3c\x8b\x5d\x78\x7f\x11\x1b\x20\x1e\x96\xc3\x29\xc8\x6f\xad\x07\xc5\xdb\x50\x17\x18\xf0\xdf\xa0\x86\xdd\x77\x1f\x27\x5b\xe0\xd4\x4a\xbd\xbf\x75\xbe\x78\xf9\xe2\x64\x4f\x6d\xaf\x9f\x73\x47\x79\x63\x9e\xa8\x61\x13\x1e\xba\x39\x85\x18\x3a\x39\x8d\x18\xba\xd8\x61\xe4\x34\x48\x4e\x36\x73\xdc\xf8\xa3\x5b\xe5\xef\x00\x00\x00\xff\xff\xa8\xfc\x88\x32\x40\x13\x00\x00") func manifests00IngressCredentialsRequestYamlBytes() ([]byte, error) { return bindataRead( @@ -561,8 +561,8 @@ func manifests00IngressCredentialsRequestYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "manifests/00-ingress-credentials-request.yaml", size: 4905, mode: os.FileMode(420), modTime: time.Unix(1, 0)} - a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xa2, 0xe6, 0x7c, 0x7, 0x90, 0x9c, 0xd5, 0xcf, 0xe2, 0x46, 0x63, 0x83, 0xd, 0x38, 0x92, 0x27, 0x20, 0x80, 0xa1, 0xe9, 0x70, 0x7f, 0xd4, 0x8f, 0x6f, 0xbc, 0x8b, 0xc3, 0xad, 0xd2, 0x59, 0x9e}} + info := bindataFileInfo{name: "manifests/00-ingress-credentials-request.yaml", size: 4928, mode: os.FileMode(420), modTime: time.Unix(1, 0)} + a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xca, 0x11, 0xd4, 0x75, 0x74, 0x68, 0x36, 0xb9, 0x31, 0x15, 0x12, 0x9f, 0x86, 0xf6, 0x7b, 0xc4, 0xbb, 0xa2, 0xe9, 0x42, 0xcd, 0xef, 0x65, 0xb0, 0x7a, 0x9a, 0x5d, 0x6d, 0x25, 0x41, 0x9f, 0x8e}} return a, nil } diff --git a/pkg/operator/controller/dns/controller.go b/pkg/operator/controller/dns/controller.go index b53e17520..c81949081 100644 --- a/pkg/operator/controller/dns/controller.go +++ b/pkg/operator/controller/dns/controller.go @@ -22,6 +22,7 @@ import ( ibm "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm" ibmprivatedns "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm/private" ibmpublicdns "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm/public" + splitdns "github.com/openshift/cluster-ingress-operator/pkg/dns/split" logf "github.com/openshift/cluster-ingress-operator/pkg/log" "github.com/openshift/cluster-ingress-operator/pkg/manifests" "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" @@ -112,6 +113,9 @@ type Config struct { DNSRecordNamespaces []string OperatorReleaseVersion string AzureWorkloadIdentityEnabled bool + // PrivateHostedZoneAWSEnabled indicates whether the "SharedVPC" feature gate is + // enabled. + PrivateHostedZoneAWSEnabled bool } type reconciler struct { @@ -664,7 +668,21 @@ func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus * if err != nil { return nil, fmt.Errorf("failed to create AWS DNS manager: %v", err) } - dnsProvider = provider + var roleARN string + if dnsConfig.Spec.Platform.AWS != nil { + roleARN = dnsConfig.Spec.Platform.AWS.PrivateZoneIAMRole + } + if roleARN != "" && r.config.PrivateHostedZoneAWSEnabled { + cfg := cfg + cfg.RoleARN = roleARN + privateProvider, err := awsdns.NewProvider(cfg, r.config.OperatorReleaseVersion) + if err != nil { + return nil, fmt.Errorf("failed to create AWS DNS manager for shared VPC: %v", err) + } + dnsProvider = splitdns.NewProvider(provider, privateProvider, dnsConfig.Spec.PrivateZone) + } else { + dnsProvider = provider + } case configv1.AzurePlatformType: environment := platformStatus.Azure.CloudName if environment == "" { diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 6c87a997b..7e19fcf3f 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -128,6 +128,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro return nil, err } azureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) + sharedVPCEnabled := featureGates.Enabled(configv1.FeatureGatePrivateHostedZoneAWS) gatewayAPIEnabled := featureGates.Enabled(configv1.FeatureGateGatewayAPI) // Set up an operator manager for the operator namespace. @@ -244,6 +245,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro }, OperatorReleaseVersion: config.OperatorReleaseVersion, AzureWorkloadIdentityEnabled: azureWorkloadIdentityEnabled, + PrivateHostedZoneAWSEnabled: sharedVPCEnabled, }); err != nil { return nil, fmt.Errorf("failed to create dns controller: %v", err) } diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml index 3189dd712..844f0d26a 100644 --- a/vendor/github.com/openshift/api/.ci-operator.yaml +++ b/vendor/github.com/openshift/api/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: release namespace: openshift - tag: rhel-8-release-golang-1.19-openshift-4.13 + tag: rhel-8-release-golang-1.20-openshift-4.14 diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index 387950230..2e0094b4d 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -4,7 +4,7 @@ all: build update: update-codegen-crds RUNTIME ?= podman -RUNTIME_IMAGE_NAME ?= registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.19-openshift-4.13 +RUNTIME_IMAGE_NAME ?= registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.20-openshift-4.14 EXCLUDE_DIRS := _output/ dependencymagnet/ hack/ third_party/ tls/ tools/ vendor/ tests/ GO_PACKAGES :=$(addsuffix ...,$(addprefix ./,$(filter-out $(EXCLUDE_DIRS), $(wildcard */)))) diff --git a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml index 16a333ca8..0028eaa7b 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml @@ -71,6 +71,7 @@ spec: - Storage - CSISnapshot - NodeTuning + - MachineAPI x-kubernetes-list-type: atomic baselineCapabilitySet: description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent. @@ -80,6 +81,7 @@ spec: - v4.11 - v4.12 - v4.13 + - v4.14 - vCurrent channel: description: channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters. @@ -192,6 +194,7 @@ spec: - Storage - CSISnapshot - NodeTuning + - MachineAPI x-kubernetes-list-type: atomic knownCapabilities: description: knownCapabilities lists all the capabilities known to the current cluster. @@ -208,6 +211,7 @@ spec: - Storage - CSISnapshot - NodeTuning + - MachineAPI x-kubernetes-list-type: atomic conditionalUpdates: description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_build.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_build.crd.yaml index 89eb92a53..75166deb7 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_build.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_build.crd.yaml @@ -205,7 +205,7 @@ spec: type: object properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." type: array items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -229,7 +229,7 @@ spec: - type: string x-kubernetes-int-or-string: true requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object additionalProperties: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..043b6fc60 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,114 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "DNS holds cluster-wide information about DNS. The canonical name is `cluster` \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + type: object + properties: + baseDomain: + description: "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base. \n For example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`. \n Once set, this field cannot be changed." + type: string + platform: + description: platform holds configuration specific to the underlying infrastructure provider for DNS. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. + type: object + required: + - type + properties: + aws: + description: aws contains DNS configuration specific to the Amazon Web Services cloud provider. + type: object + properties: + privateZoneIAMRole: + description: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. + type: string + pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + type: + description: "type is the underlying infrastructure provider for the cluster. Allowed values: \"\", \"AWS\". \n Individual components may not support all platforms, and must handle unrecognized platforms with best-effort defaults." + type: string + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + x-kubernetes-validations: + - rule: self in ['','AWS'] + message: allowed values are '' and 'AWS' + x-kubernetes-validations: + - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) : !has(self.aws)' + message: aws configuration is required when platform is AWS, and forbidden otherwise + privateZone: + description: "privateZone is the location where all the DNS records that are only available internally to the cluster exist. \n If this field is nil, no private records should be created. \n Once set, this field cannot be changed." + type: object + properties: + id: + description: "id is the identifier that can be used to find the DNS hosted zone. \n on AWS zone can be fetched using `ID` as id in [1] on Azure zone can be fetched using `ID` as a pre-determined name in [2], on GCP zone can be fetched using `ID` as a pre-determined name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get" + type: string + tags: + description: "tags can be used to query the DNS hosted zone. \n on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options" + type: object + additionalProperties: + type: string + publicZone: + description: "publicZone is the location where all the DNS records that are publicly accessible to the internet exist. \n If this field is nil, no public records should be created. \n Once set, this field cannot be changed." + type: object + properties: + id: + description: "id is the identifier that can be used to find the DNS hosted zone. \n on AWS zone can be fetched using `ID` as id in [1] on Azure zone can be fetched using `ID` as a pre-determined name in [2], on GCP zone can be fetched using `ID` as a pre-determined name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get" + type: string + tags: + description: "tags can be used to query the DNS hosted zone. \n on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options" + type: object + additionalProperties: + type: string + status: + description: status holds observed values from the cluster. They may not be overridden. + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns.crd.yaml index e4fa56eee..bbf40f65e 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_dns.crd.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: Default name: dnses.config.openshift.io spec: group: config.openshift.io diff --git a/vendor/github.com/openshift/api/config/v1/feature_gates.go b/vendor/github.com/openshift/api/config/v1/feature_gates.go index 04e081e0a..2c06da3cd 100644 --- a/vendor/github.com/openshift/api/config/v1/feature_gates.go +++ b/vendor/github.com/openshift/api/config/v1/feature_gates.go @@ -182,4 +182,64 @@ var ( ResponsiblePerson: "abutcher", OwningProduct: ocpSpecific, } + + FeatureGateMaxUnavailableStatefulSet = FeatureGateName("MaxUnavailableStatefulSet") + maxUnavailableStatefulSet = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateMaxUnavailableStatefulSet, + }, + OwningJiraComponent: "apps", + ResponsiblePerson: "atiratree", + OwningProduct: kubernetes, + } + + FeatureGateEventedPLEG = FeatureGateName("EventedPLEG") + eventedPleg = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateEventedPLEG, + }, + OwningJiraComponent: "node", + ResponsiblePerson: "sairameshv", + OwningProduct: kubernetes, + } + + FeatureGatePrivateHostedZoneAWS = FeatureGateName("PrivateHostedZoneAWS") + privateHostedZoneAWS = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGatePrivateHostedZoneAWS, + }, + OwningJiraComponent: "Routing", + ResponsiblePerson: "miciah", + OwningProduct: ocpSpecific, + } + + FeatureGateSigstoreImageVerification = FeatureGateName("SigstoreImageVerification") + sigstoreImageVerification = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateSigstoreImageVerification, + }, + OwningJiraComponent: "node", + ResponsiblePerson: "sgrunert", + OwningProduct: ocpSpecific, + } + + FeatureGateGCPLabelsTags = FeatureGateName("GCPLabelsTags") + gcpLabelsTags = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateGCPLabelsTags, + }, + OwningJiraComponent: "Installer", + ResponsiblePerson: "bhb", + OwningProduct: ocpSpecific, + } + + FeatureGateAlibabaPlatform = FeatureGateName("AlibabaPlatform") + alibabaPlatform = FeatureGateDescription{ + FeatureGateAttributes: FeatureGateAttributes{ + Name: FeatureGateAlibabaPlatform, + }, + OwningJiraComponent: "cloud-provider", + ResponsiblePerson: "jspeed", + OwningProduct: ocpSpecific, + } ) diff --git a/vendor/github.com/openshift/api/config/v1/techpreview.dns.testsuite.yaml b/vendor/github.com/openshift/api/config/v1/techpreview.dns.testsuite.yaml new file mode 100644 index 000000000..a63ff885d --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/techpreview.dns.testsuite.yaml @@ -0,0 +1,104 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreview] DNS" +crd: 0000_10_config-operator_01_dns-TechPreviewNoUpgrade.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal DNS + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: {} # No spec is required for a DNS + expected: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: {} + - name: Should be able to specify an AWS role ARN for a private hosted zone + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: AWS + aws: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + expected: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: AWS + aws: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + - name: Should not be able to specify unsupported platform + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: Azure + azure: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + expectedError: "Invalid value: \"string\": allowed values are '' and 'AWS'" + - name: Should not be able to specify invalid AWS role ARN + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + metadata: + name: cluster + spec: + platform: + type: AWS + aws: + privateZoneIAMRole: arn:aws:iam:bad:123456789012:role/foo + expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\\/.*$'" + - name: Should not be able to specify different type and platform + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: "" + aws: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + expectedError: "Invalid value: \"object\": aws configuration is required when platform is AWS, and forbidden otherwise" + onUpdate: + - name: Can switch from empty (default), to AWS + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: "" + updated: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: AWS + aws: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + expected: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: AWS + aws: + privateZoneIAMRole: arn:aws:iam::123456789012:role/foo + - name: Upgrade case is valid + initial: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: {} # No spec is required for a DNS + updated: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: "" + expected: | + apiVersion: config.openshift.io/v1 + kind: DNS + spec: + platform: + type: "" diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 8126626c0..234720477 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -247,7 +247,7 @@ const ( ) // ClusterVersionCapability enumerates optional, core cluster components. -// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning +// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI type ClusterVersionCapability string const ( @@ -296,6 +296,23 @@ const ( // objects and manages the containerized TuneD daemon which controls // system level tuning of Nodes ClusterVersionCapabilityNodeTuning ClusterVersionCapability = "NodeTuning" + + // ClusterVersionCapabilityMachineAPI manages + // machine-api-operator + // cluster-autoscaler-operator + // cluster-control-plane-machine-set-operator + // which is responsible for machines configuration and heavily + // targeted for SNO clusters. + // + // The following CRDs are disabled as well + // machines + // machineset + // controlplanemachineset + // + // WARNING: Do not disable that capability without reading + // documentation. This is important part of openshift system + // and may cause cluster damage + ClusterVersionCapabilityMachineAPI ClusterVersionCapability = "MachineAPI" ) // KnownClusterVersionCapabilities includes all known optional, core cluster components. @@ -308,10 +325,11 @@ var KnownClusterVersionCapabilities = []ClusterVersionCapability{ ClusterVersionCapabilityOpenShiftSamples, ClusterVersionCapabilityCSISnapshot, ClusterVersionCapabilityNodeTuning, + ClusterVersionCapabilityMachineAPI, } // ClusterVersionCapabilitySet defines sets of cluster version capabilities. -// +kubebuilder:validation:Enum=None;v4.11;v4.12;v4.13;vCurrent +// +kubebuilder:validation:Enum=None;v4.11;v4.12;v4.13;v4.14;vCurrent type ClusterVersionCapabilitySet string const ( @@ -337,6 +355,12 @@ const ( // version of OpenShift is installed. ClusterVersionCapabilitySet4_13 ClusterVersionCapabilitySet = "v4.13" + // ClusterVersionCapabilitySet4_14 is the recommended set of + // optional capabilities to enable for the 4.14 version of + // OpenShift. This list will remain the same no matter which + // version of OpenShift is installed. + ClusterVersionCapabilitySet4_14 ClusterVersionCapabilitySet = "v4.14" + // ClusterVersionCapabilitySetCurrent is the recommended set // of optional capabilities to enable for the cluster's // current version of OpenShift. @@ -370,6 +394,17 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityCSISnapshot, ClusterVersionCapabilityNodeTuning, }, + ClusterVersionCapabilitySet4_14: { + ClusterVersionCapabilityBaremetal, + ClusterVersionCapabilityConsole, + ClusterVersionCapabilityInsights, + ClusterVersionCapabilityMarketplace, + ClusterVersionCapabilityStorage, + ClusterVersionCapabilityOpenShiftSamples, + ClusterVersionCapabilityCSISnapshot, + ClusterVersionCapabilityNodeTuning, + ClusterVersionCapabilityMachineAPI, + }, ClusterVersionCapabilitySetCurrent: { ClusterVersionCapabilityBaremetal, ClusterVersionCapabilityConsole, @@ -379,6 +414,7 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityOpenShiftSamples, ClusterVersionCapabilityCSISnapshot, ClusterVersionCapabilityNodeTuning, + ClusterVersionCapabilityMachineAPI, }, } diff --git a/vendor/github.com/openshift/api/config/v1/types_dns.go b/vendor/github.com/openshift/api/config/v1/types_dns.go index 6283a2997..afd241f9f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_dns.go +++ b/vendor/github.com/openshift/api/config/v1/types_dns.go @@ -53,6 +53,13 @@ type DNSSpec struct { // // +optional PrivateZone *DNSZone `json:"privateZone,omitempty"` + // platform holds configuration specific to the underlying + // infrastructure provider for DNS. + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // +openshift:enable:FeatureSets=TechPreviewNoUpgrade + // +optional + Platform DNSPlatformSpec `json:"platform,omitempty"` } // DNSZone is used to define a DNS hosted zone. @@ -96,3 +103,34 @@ type DNSList struct { Items []DNS `json:"items"` } + +// DNSPlatformSpec holds cloud-provider-specific configuration +// for DNS administration. +// +union +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws configuration is required when platform is AWS, and forbidden otherwise" +type DNSPlatformSpec struct { + // type is the underlying infrastructure provider for the cluster. + // Allowed values: "", "AWS". + // + // Individual components may not support all platforms, + // and must handle unrecognized platforms with best-effort defaults. + // + // +unionDiscriminator + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self in ['','AWS']",message="allowed values are '' and 'AWS'" + Type PlatformType `json:"type"` + + // aws contains DNS configuration specific to the Amazon Web Services cloud provider. + // +optional + AWS *AWSDNSSpec `json:"aws"` +} + +// AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider. +type AWSDNSSpec struct { + // privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing + // operations on the cluster's private hosted zone specified in the cluster DNS config. + // When left empty, no role should be assumed. + // +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$` + // +optional + PrivateZoneIAMRole string `json:"privateZoneIAMRole"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index c2f8c47e5..662c47ef1 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -178,6 +178,11 @@ var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{ with(admissionWebhookMatchConditions). with(azureWorkloadIdentity). with(gateGatewayAPI). + with(maxUnavailableStatefulSet). + with(eventedPleg). + with(privateHostedZoneAWS). + with(sigstoreImageVerification). + with(gcpLabelsTags). toFeatures(defaultFeatures), LatencySensitive: newDefaultFeatures(). toFeatures(defaultFeatures), @@ -186,6 +191,7 @@ var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{ var defaultFeatures = &FeatureGateEnabledDisabled{ Enabled: []FeatureGateDescription{ openShiftPodSecurityAdmission, + alibabaPlatform, // This is a bug, it should be TechPreviewNoUpgrade. This must be downgraded before 4.14 is shipped. }, Disabled: []FeatureGateDescription{ retroactiveDefaultStorageClass, diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 4db1b9ad4..fbc6e1565 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -179,6 +179,22 @@ func (in *APIServerStatus) DeepCopy() *APIServerStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSDNSSpec) DeepCopyInto(out *AWSDNSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSDNSSpec. +func (in *AWSDNSSpec) DeepCopy() *AWSDNSSpec { + if in == nil { + return nil + } + out := new(AWSDNSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSIngressSpec) DeepCopyInto(out *AWSIngressSpec) { *out = *in @@ -1580,6 +1596,27 @@ func (in *DNSList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DNSPlatformSpec) DeepCopyInto(out *DNSPlatformSpec) { + *out = *in + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AWSDNSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSPlatformSpec. +func (in *DNSPlatformSpec) DeepCopy() *DNSPlatformSpec { + if in == nil { + return nil + } + out := new(DNSPlatformSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = *in @@ -1593,6 +1630,7 @@ func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = new(DNSZone) (*in).DeepCopyInto(*out) } + in.Platform.DeepCopyInto(&out.Platform) return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 179d921e1..e7e51453f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -746,6 +746,15 @@ func (ConsoleStatus) SwaggerDoc() map[string]string { return map_ConsoleStatus } +var map_AWSDNSSpec = map[string]string{ + "": "AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.", + "privateZoneIAMRole": "privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed.", +} + +func (AWSDNSSpec) SwaggerDoc() map[string]string { + return map_AWSDNSSpec +} + var map_DNS = map[string]string{ "": "DNS holds cluster-wide information about DNS. The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -766,10 +775,21 @@ func (DNSList) SwaggerDoc() map[string]string { return map_DNSList } +var map_DNSPlatformSpec = map[string]string{ + "": "DNSPlatformSpec holds cloud-provider-specific configuration for DNS administration.", + "type": "type is the underlying infrastructure provider for the cluster. Allowed values: \"\", \"AWS\".\n\nIndividual components may not support all platforms, and must handle unrecognized platforms with best-effort defaults.", + "aws": "aws contains DNS configuration specific to the Amazon Web Services cloud provider.", +} + +func (DNSPlatformSpec) SwaggerDoc() map[string]string { + return map_DNSPlatformSpec +} + var map_DNSSpec = map[string]string{ "baseDomain": "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base.\n\nFor example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`.\n\nOnce set, this field cannot be changed.", "publicZone": "publicZone is the location where all the DNS records that are publicly accessible to the internet exist.\n\nIf this field is nil, no public records should be created.\n\nOnce set, this field cannot be changed.", "privateZone": "privateZone is the location where all the DNS records that are only available internally to the cluster exist.\n\nIf this field is nil, no private records should be created.\n\nOnce set, this field cannot be changed.", + "platform": "platform holds configuration specific to the underlying infrastructure provider for DNS. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time.", } func (DNSSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/imageregistry/v1/00_imageregistry.crd.yaml b/vendor/github.com/openshift/api/imageregistry/v1/00_imageregistry.crd.yaml index f6c9acdfb..e2406e37c 100644 --- a/vendor/github.com/openshift/api/imageregistry/v1/00_imageregistry.crd.yaml +++ b/vendor/github.com/openshift/api/imageregistry/v1/00_imageregistry.crd.yaml @@ -607,7 +607,7 @@ spec: description: resources defines the resource requests+limits for the registry pod. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: @@ -637,7 +637,7 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object rolloutStrategy: @@ -943,7 +943,7 @@ spec: type: object x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. + description: "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default)." items: type: string type: array diff --git a/vendor/github.com/openshift/api/imageregistry/v1/01_imagepruner.crd.yaml b/vendor/github.com/openshift/api/imageregistry/v1/01_imagepruner.crd.yaml index eb3ace7ef..cc1dc208f 100644 --- a/vendor/github.com/openshift/api/imageregistry/v1/01_imagepruner.crd.yaml +++ b/vendor/github.com/openshift/api/imageregistry/v1/01_imagepruner.crd.yaml @@ -547,7 +547,7 @@ spec: type: object properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." type: array items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -571,7 +571,7 @@ spec: - type: string x-kubernetes-int-or-string: true requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object additionalProperties: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ diff --git a/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml b/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml index 1a83a5129..bdaa49242 100644 --- a/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml @@ -398,10 +398,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string providerID: description: ProviderID is the identification ID of the machine provided by the provider. This field must match the provider ID as seen on the node object corresponding to this machine. This field is required by higher level consumers of cluster-api. Example use case is cluster autoscaler with cluster-api as provider. Clean-up logic in the autoscaler compares machines to nodes to find out machines at provider which could not get registered as Kubernetes nodes. With cluster-api as a generic out-of-tree provider for autoscaler, this field is required by autoscaler to be able to have a provider view of the list of machines. Another list of nodes is queried from the k8s apiserver and then a comparison is done to find out unregistered machines and are marked for delete. This field will be set by the actuators and consumed by higher level entities like autoscaler that will be interfacing with cluster-api as generic provider. diff --git a/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machine.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machine.crd.yaml index 4b968e51e..d11c3c72b 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machine.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machine.crd.yaml @@ -170,10 +170,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string x-kubernetes-map-type: atomic providerID: diff --git a/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machineset.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machineset.crd.yaml index 6c8211300..c4bcfef24 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machineset.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/0000_10_machineset.crd.yaml @@ -155,10 +155,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string x-kubernetes-map-type: atomic spec: @@ -265,10 +265,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string x-kubernetes-map-type: atomic providerID: diff --git a/vendor/github.com/openshift/api/operator/v1/0000_50_cluster_storage_operator_01_crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_50_cluster_storage_operator_01_crd.yaml index 6ccac5ad1..80bb8eddf 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_50_cluster_storage_operator_01_crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_50_cluster_storage_operator_01_crd.yaml @@ -77,13 +77,8 @@ spec: - LegacyDeprecatedInTreeDriver - CSIWithMigrationDriver x-kubernetes-validations: - - rule: oldSelf != "CSIWithMigrationDriver" || self == "CSIWithMigrationDriver" - message: VSphereStorageDriver can not be changed once it is set to CSIWithMigrationDriver - rule: self != "LegacyDeprecatedInTreeDriver" message: VSphereStorageDriver can not be set to LegacyDeprecatedInTreeDriver - x-kubernetes-validations: - - rule: '!has(oldSelf.vsphereStorageDriver) || has(self.vsphereStorageDriver)' - message: VSphereStorageDriver is required once set status: description: status holds observed values from the cluster. They may not be overridden. type: object diff --git a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01.crd.yaml index af20b51a7..aebba5ac3 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_70_cluster-network-operator_01.crd.yaml @@ -216,6 +216,9 @@ spec: description: gatewayConfig holds the configuration for node gateway options. type: object properties: + ipForwarding: + description: IPForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across OVN-Kubernetes managed interfaces, then set this field to "Global". The supported values are "Restricted" and "Global". + type: string routingViaHost: description: RoutingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port into the host before sending it out. If this is not set, traffic will always egress directly from OVN to outside without touching the host stack. Setting this to true means hardware offload will not be supported. Default is false if GatewayConfig is specified. type: boolean @@ -268,6 +271,10 @@ spec: format: int32 default: 50 minimum: 1 + maxLogFiles: + description: 'maxLogFiles specifies the maximum number of ACL_audit log files that can be present. Default: 5' + type: integer + format: int32 rateLimit: description: rateLimit is the approximate maximum number of messages to generate per-second per-node. If unset the default of 20 msg/sec is used. type: integer diff --git a/vendor/github.com/openshift/api/operator/v1/0000_70_dns-operator_00.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_70_dns-operator_00.crd.yaml index cdad2cfa1..92f24714a 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_70_dns-operator_00.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_70_dns-operator_00.crd.yaml @@ -112,6 +112,12 @@ spec: - RoundRobin - Sequential type: string + protocolStrategy: + description: protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are "TCP" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. "TCP" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. "TCP" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS. + enum: + - TCP + - "" + type: string transportConfig: description: "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver. \n The default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver." properties: @@ -172,6 +178,12 @@ spec: - RoundRobin - Sequential type: string + protocolStrategy: + description: protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are "TCP" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. "TCP" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. "TCP" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS. + enum: + - TCP + - "" + type: string transportConfig: description: "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver. \n The default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver." properties: diff --git a/vendor/github.com/openshift/api/operator/v1/stable.storage.testsuite.yaml b/vendor/github.com/openshift/api/operator/v1/stable.storage.testsuite.yaml index a686534da..98afa6ea7 100644 --- a/vendor/github.com/openshift/api/operator/v1/stable.storage.testsuite.yaml +++ b/vendor/github.com/openshift/api/operator/v1/stable.storage.testsuite.yaml @@ -76,8 +76,8 @@ tests: kind: Storage spec: vsphereStorageDriver: LegacyDeprecatedInTreeDriver - expectedError: "VSphereStorageDriver can not be changed once it is set to CSIWithMigrationDriver" - - name: Should not allow changing CSIWithMigrationDriver to empty string + expectedError: "VSphereStorageDriver can not be set to LegacyDeprecatedInTreeDriver" + - name: Should allow changing CSIWithMigrationDriver to empty string initial: | apiVersion: operator.openshift.io/v1 kind: Storage @@ -88,8 +88,14 @@ tests: kind: Storage spec: vsphereStorageDriver: "" - expectedError: "VSphereStorageDriver can not be changed once it is set to CSIWithMigrationDriver" - - name: Should not allow unsetting VSphereStorageDriver once it is set + expected: | + apiVersion: operator.openshift.io/v1 + kind: Storage + spec: + vsphereStorageDriver: "" + logLevel: Normal + operatorLogLevel: Normal + - name: Should allow unsetting VSphereStorageDriver once it is set initial: | apiVersion: operator.openshift.io/v1 kind: Storage @@ -99,4 +105,9 @@ tests: apiVersion: operator.openshift.io/v1 kind: Storage spec: {} - expectedError: "VSphereStorageDriver is required once set" + expected: | + apiVersion: operator.openshift.io/v1 + kind: Storage + spec: + logLevel: Normal + operatorLogLevel: Normal diff --git a/vendor/github.com/openshift/api/operator/v1/types_dns.go b/vendor/github.com/openshift/api/operator/v1/types_dns.go index fd42d30ce..55e98d1f8 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_dns.go +++ b/vendor/github.com/openshift/api/operator/v1/types_dns.go @@ -290,6 +290,25 @@ type ForwardPlugin struct { // // +optional TransportConfig DNSTransportConfig `json:"transportConfig,omitempty"` + + + // protocolStrategy specifies the protocol to use for upstream DNS + // requests. + // Valid values for protocolStrategy are "TCP" and omitted. + // When omitted, this means no opinion and the platform is left to choose + // a reasonable default, which is subject to change over time. + // The current default is to use the protocol of the original client request. + // "TCP" specifies that the platform should use TCP for all upstream DNS requests, + // even if the client request uses UDP. + // "TCP" is useful for UDP-specific issues such as those created by + // non-compliant upstream resolvers, but may consume more bandwidth or + // increase DNS response time. Note that protocolStrategy only affects + // the protocol of DNS requests that CoreDNS makes to upstream resolvers. + // It does not affect the protocol of DNS requests between clients and + // CoreDNS. + // + // +optional + ProtocolStrategy ProtocolStrategy `json:"protocolStrategy"` } // UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the @@ -332,6 +351,24 @@ type UpstreamResolvers struct { // // +optional TransportConfig DNSTransportConfig `json:"transportConfig,omitempty"` + + // protocolStrategy specifies the protocol to use for upstream DNS + // requests. + // Valid values for protocolStrategy are "TCP" and omitted. + // When omitted, this means no opinion and the platform is left to choose + // a reasonable default, which is subject to change over time. + // The current default is to use the protocol of the original client request. + // "TCP" specifies that the platform should use TCP for all upstream DNS requests, + // even if the client request uses UDP. + // "TCP" is useful for UDP-specific issues such as those created by + // non-compliant upstream resolvers, but may consume more bandwidth or + // increase DNS response time. Note that protocolStrategy only affects + // the protocol of DNS requests that CoreDNS makes to upstream resolvers. + // It does not affect the protocol of DNS requests between clients and + // CoreDNS. + // + // +optional + ProtocolStrategy ProtocolStrategy `json:"protocolStrategy"` } // Upstream can either be of type SystemResolvConf, or of type Network. @@ -379,6 +416,23 @@ const ( NetworkResolverType UpstreamType = "Network" ) +// ProtocolStrategy is a preference for the protocol to use for DNS queries. +// + --- +// + When consumers observe an unknown value, they should use the default strategy. +// +kubebuilder:validation:Enum:=TCP;"" +type ProtocolStrategy string + +var ( + // ProtocolStrategyDefault specifies no opinion for DNS protocol. + // If empty, the default behavior of CoreDNS is used. Currently, this means that CoreDNS uses the protocol of the + // originating client request as the upstream protocol. + // Note that the default behavior of CoreDNS is subject to change. + ProtocolStrategyDefault ProtocolStrategy = "" + + // ProtocolStrategyTCP instructs CoreDNS to always use TCP, regardless of the originating client's request protocol. + ProtocolStrategyTCP ProtocolStrategy = "TCP" +) + // DNSNodePlacement describes the node scheduling configuration for DNS pods. type DNSNodePlacement struct { // nodeSelector is the node selector applied to DNS pods. diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go index e04498fb6..a7bb74ec4 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_network.go +++ b/vendor/github.com/openshift/api/operator/v1/types_network.go @@ -480,6 +480,17 @@ type HybridOverlayConfig struct { type IPsecConfig struct { } +type IPForwardingMode string + +const ( + // IPForwardingRestricted limits the IP forwarding on OVN-Kube managed interfaces (br-ex, br-ex1) to only required + // service and other k8s related traffic + IPForwardingRestricted IPForwardingMode = "Restricted" + + // IPForwardingGlobal allows all IP traffic to be forwarded across OVN-Kube managed interfaces + IPForwardingGlobal IPForwardingMode = "Global" +) + // GatewayConfig holds node gateway-related parsed config file parameters and command-line overrides type GatewayConfig struct { // RoutingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port @@ -489,6 +500,13 @@ type GatewayConfig struct { // +kubebuilder:default:=false // +optional RoutingViaHost bool `json:"routingViaHost,omitempty"` + // IPForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). + // By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other + // IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across + // OVN-Kubernetes managed interfaces, then set this field to "Global". + // The supported values are "Restricted" and "Global". + // +optional + IPForwarding IPForwardingMode `json:"ipForwarding,omitempty"` } type ExportNetworkFlows struct { @@ -543,6 +561,11 @@ type PolicyAuditConfig struct { // +optional MaxFileSize *uint32 `json:"maxFileSize,omitempty"` + // maxLogFiles specifies the maximum number of ACL_audit log files that can be present. + // Default: 5 + // +optional + MaxLogFiles *int32 `json:"maxLogFiles,omitempty"` + // destination is the location for policy log messages. // Regardless of this config, persistent logs will always be dumped to the host // at /var/log/ovn/ however diff --git a/vendor/github.com/openshift/api/operator/v1/types_storage.go b/vendor/github.com/openshift/api/operator/v1/types_storage.go index 84d00cd36..96a4b5d88 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_storage.go +++ b/vendor/github.com/openshift/api/operator/v1/types_storage.go @@ -39,7 +39,6 @@ const ( ) // StorageSpec is the specification of the desired behavior of the cluster storage operator. -// +kubebuilder:validation:XValidation:rule="!has(oldSelf.vsphereStorageDriver) || has(self.vsphereStorageDriver)", message="VSphereStorageDriver is required once set" type StorageSpec struct { OperatorSpec `json:",inline"` @@ -49,7 +48,6 @@ type StorageSpec struct { // which may change over time without notice. // The current default is CSIWithMigrationDriver and may not be changed. // DEPRECATED: This field will be removed in a future release. - // +kubebuilder:validation:XValidation:rule="oldSelf != \"CSIWithMigrationDriver\" || self == \"CSIWithMigrationDriver\"",message="VSphereStorageDriver can not be changed once it is set to CSIWithMigrationDriver" // +kubebuilder:validation:XValidation:rule="self != \"LegacyDeprecatedInTreeDriver\"",message="VSphereStorageDriver can not be set to LegacyDeprecatedInTreeDriver" // +optional VSphereStorageDriver StorageDriverType `json:"vsphereStorageDriver"` diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 609219c06..b72d5296f 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -3512,6 +3512,11 @@ func (in *PolicyAuditConfig) DeepCopyInto(out *PolicyAuditConfig) { *out = new(uint32) **out = **in } + if in.MaxLogFiles != nil { + in, out := &in.MaxLogFiles, &out.MaxLogFiles + *out = new(int32) + **out = **in + } return } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index b93db3608..4ccaa5b41 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -622,10 +622,11 @@ func (DNSTransportConfig) SwaggerDoc() map[string]string { } var map_ForwardPlugin = map[string]string{ - "": "ForwardPlugin defines a schema for configuring the CoreDNS forward plugin.", - "upstreams": "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin.", - "policy": "policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Random\"", - "transportConfig": "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.\n\nThe default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.", + "": "ForwardPlugin defines a schema for configuring the CoreDNS forward plugin.", + "upstreams": "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin.", + "policy": "policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Random\"", + "transportConfig": "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.\n\nThe default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.", + "protocolStrategy": "protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are \"TCP\" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. \"TCP\" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. \"TCP\" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS.", } func (ForwardPlugin) SwaggerDoc() map[string]string { @@ -655,10 +656,11 @@ func (Upstream) SwaggerDoc() map[string]string { } var map_UpstreamResolvers = map[string]string{ - "": "UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the specific case of the default (\".\") server. It defers from ForwardPlugin in the default values it accepts: * At least one upstream should be specified. * the default policy is Sequential", - "upstreams": "Upstreams is a list of resolvers to forward name queries for the \".\" domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default", - "policy": "Policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Sequential\"", - "transportConfig": "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.\n\nThe default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.", + "": "UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the specific case of the default (\".\") server. It defers from ForwardPlugin in the default values it accepts: * At least one upstream should be specified. * the default policy is Sequential", + "upstreams": "Upstreams is a list of resolvers to forward name queries for the \".\" domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default", + "policy": "Policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Sequential\"", + "transportConfig": "transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.\n\nThe default value is \"\" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.", + "protocolStrategy": "protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are \"TCP\" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. \"TCP\" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. \"TCP\" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS.", } func (UpstreamResolvers) SwaggerDoc() map[string]string { @@ -1257,6 +1259,7 @@ func (FeaturesMigration) SwaggerDoc() map[string]string { var map_GatewayConfig = map[string]string{ "": "GatewayConfig holds node gateway-related parsed config file parameters and command-line overrides", "routingViaHost": "RoutingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port into the host before sending it out. If this is not set, traffic will always egress directly from OVN to outside without touching the host stack. Setting this to true means hardware offload will not be supported. Default is false if GatewayConfig is specified.", + "ipForwarding": "IPForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across OVN-Kubernetes managed interfaces, then set this field to \"Global\". The supported values are \"Restricted\" and \"Global\".", } func (GatewayConfig) SwaggerDoc() map[string]string { @@ -1423,6 +1426,7 @@ func (OpenShiftSDNConfig) SwaggerDoc() map[string]string { var map_PolicyAuditConfig = map[string]string{ "rateLimit": "rateLimit is the approximate maximum number of messages to generate per-second per-node. If unset the default of 20 msg/sec is used.", "maxFileSize": "maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs Units are in MB and the Default is 50MB", + "maxLogFiles": "maxLogFiles specifies the maximum number of ACL_audit log files that can be present. Default: 5", "destination": "destination is the location for policy log messages. Regardless of this config, persistent logs will always be dumped to the host at /var/log/ovn/ however Additionally syslog output may be configured as follows. Valid values are: - \"libc\" -> to use the libc syslog() function of the host node's journdald process - \"udp:host:port\" -> for sending syslog over UDP - \"unix:file\" -> for using the UNIX domain socket directly - \"null\" -> to discard all messages logged to syslog The default is \"null\"", "syslogFacility": "syslogFacility the RFC5424 facility for generated messages, e.g. \"kern\". Default is \"local0\"", } diff --git a/vendor/github.com/openshift/api/route/v1/generated.proto b/vendor/github.com/openshift/api/route/v1/generated.proto index b2fd879bb..b6bfc1639 100644 --- a/vendor/github.com/openshift/api/route/v1/generated.proto +++ b/vendor/github.com/openshift/api/route/v1/generated.proto @@ -242,6 +242,8 @@ message RouterShard { } // TLSConfig defines config used to secure a route and provide termination +// +// +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" message TLSConfig { // termination indicates termination type. // @@ -272,9 +274,11 @@ message TLSConfig { // insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While // each router may make its own decisions on which ports to expose, this is normally port 80. // - // * Allow - traffic is sent to the server on the insecure port (default) - // * Disable - no traffic is allowed on the insecure port. + // * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + // * None - no traffic is allowed on the insecure port. // * Redirect - clients are redirected to the secure port. + // + // +kubebuilder:validation:Enum=Allow;None;Redirect;"" optional string insecureEdgeTerminationPolicy = 6; } diff --git a/vendor/github.com/openshift/api/route/v1/route.crd.yaml b/vendor/github.com/openshift/api/route/v1/route.crd.yaml index 84aba660b..d4a7dfcf8 100644 --- a/vendor/github.com/openshift/api/route/v1/route.crd.yaml +++ b/vendor/github.com/openshift/api/route/v1/route.crd.yaml @@ -151,32 +151,6 @@ spec: termination: enum: - edge - - anyOf: - - properties: - insecureEdgeTerminationPolicy: - enum: - - "" - - None - - Allow - - Redirect - - not: - properties: - termination: - enum: - - edge - - reencrypt - - anyOf: - - properties: - insecureEdgeTerminationPolicy: - enum: - - "" - - None - - Redirect - - not: - properties: - termination: - enum: - - passthrough description: The tls field provides the ability to configure certificates and termination for the route. properties: caCertificate: @@ -189,7 +163,12 @@ spec: description: destinationCACertificate provides the contents of the ca certificate of the final destination. When using reencrypt termination this file should be provided in order to have routers use it for health checks on the secure connection. If this field is not specified, the router may provide its own destination CA and perform hostname validation using the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. \n * Allow - traffic is sent to the server on the insecure port (default) * Disable - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port." + description: "insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. \n * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port." + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents @@ -204,6 +183,9 @@ spec: required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) : true' to: description: to is an object the route should use as the primary backend. Only the Service kind is allowed, and it will be defaulted to Service. If the weight field (0-256 default 100) is set to zero, no traffic will be sent to this backend. properties: diff --git a/vendor/github.com/openshift/api/route/v1/route.crd.yaml-patch b/vendor/github.com/openshift/api/route/v1/route.crd.yaml-patch index 47fbb5da8..7f09302f3 100644 --- a/vendor/github.com/openshift/api/route/v1/route.crd.yaml-patch +++ b/vendor/github.com/openshift/api/route/v1/route.crd.yaml-patch @@ -65,22 +65,3 @@ properties: termination: enum: ["edge"] - # Any insecure edge-termination policy may be used if we terminate TLS. - - anyOf: - - properties: - insecureEdgeTerminationPolicy: - enum: ["", "None", "Allow", "Redirect"] - - not: - properties: - termination: - enum: ["edge","reencrypt"] - # Any insecure edge-termination policy *except* for "Allow" maybe used when - # using passthrough TLS. - - anyOf: - - properties: - insecureEdgeTerminationPolicy: - enum: ["", "None", "Redirect"] - - not: - properties: - termination: - enum: ["passthrough"] diff --git a/vendor/github.com/openshift/api/route/v1/stable.route.testsuite.yaml b/vendor/github.com/openshift/api/route/v1/stable.route.testsuite.yaml index 68e144b64..0031afdb5 100644 --- a/vendor/github.com/openshift/api/route/v1/stable.route.testsuite.yaml +++ b/vendor/github.com/openshift/api/route/v1/stable.route.testsuite.yaml @@ -20,3 +20,65 @@ tests: name: foo weight: 100 wildcardPolicy: None + - name: "cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" + initial: | + apiVersion: route.openshift.io/v1 + kind: Route + spec: + to: + kind: Service + name: foo + tls: + termination: passthrough + insecureEdgeTerminationPolicy: Allow + expectedError: "cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" + - name: "spec.tls.termination: passthrough is compatible with spec.tls.insecureEdgeTerminationPolicy: Redirect" + initial: | + apiVersion: route.openshift.io/v1 + kind: Route + spec: + host: test.foo + to: + kind: Service + name: foo + tls: + termination: passthrough + insecureEdgeTerminationPolicy: Redirect + expected: | + apiVersion: route.openshift.io/v1 + kind: Route + spec: + host: test.foo + to: + kind: Service + name: foo + weight: 100 + tls: + termination: passthrough + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None + - name: "spec.tls.termination: passthrough is compatible with spec.tls.insecureEdgeTerminationPolicy: None" + initial: | + apiVersion: route.openshift.io/v1 + kind: Route + spec: + host: test.foo + to: + kind: Service + name: foo + tls: + termination: passthrough + insecureEdgeTerminationPolicy: None + expected: | + apiVersion: route.openshift.io/v1 + kind: Route + spec: + host: test.foo + to: + kind: Service + name: foo + weight: 100 + tls: + termination: passthrough + insecureEdgeTerminationPolicy: None + wildcardPolicy: None diff --git a/vendor/github.com/openshift/api/route/v1/types.go b/vendor/github.com/openshift/api/route/v1/types.go index eed8d69e6..a48161cf2 100644 --- a/vendor/github.com/openshift/api/route/v1/types.go +++ b/vendor/github.com/openshift/api/route/v1/types.go @@ -246,6 +246,8 @@ type RouterShard struct { } // TLSConfig defines config used to secure a route and provide termination +// +// +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" type TLSConfig struct { // termination indicates termination type. // @@ -276,9 +278,11 @@ type TLSConfig struct { // insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While // each router may make its own decisions on which ports to expose, this is normally port 80. // - // * Allow - traffic is sent to the server on the insecure port (default) - // * Disable - no traffic is allowed on the insecure port. + // * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + // * None - no traffic is allowed on the insecure port. // * Redirect - clients are redirected to the secure port. + // + // +kubebuilder:validation:Enum=Allow;None;Redirect;"" InsecureEdgeTerminationPolicy InsecureEdgeTerminationPolicyType `json:"insecureEdgeTerminationPolicy,omitempty" protobuf:"bytes,6,opt,name=insecureEdgeTerminationPolicy,casttype=InsecureEdgeTerminationPolicyType"` } diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go index 7cb17d002..eb8971bd2 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go @@ -120,7 +120,7 @@ var map_TLSConfig = map[string]string{ "key": "key provides key file contents", "caCertificate": "caCertificate provides the cert authority certificate contents", "destinationCACertificate": "destinationCACertificate provides the contents of the ca certificate of the final destination. When using reencrypt termination this file should be provided in order to have routers use it for health checks on the secure connection. If this field is not specified, the router may provide its own destination CA and perform hostname validation using the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify.", - "insecureEdgeTerminationPolicy": "insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80.\n\n* Allow - traffic is sent to the server on the insecure port (default) * Disable - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port.", + "insecureEdgeTerminationPolicy": "insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80.\n\n* Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port.", } func (TLSConfig) SwaggerDoc() map[string]string { diff --git a/vendor/modules.txt b/vendor/modules.txt index f52fe9cc6..6527c06d3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -341,8 +341,8 @@ github.com/munnerz/goautoneg github.com/oklog/ulid # github.com/onsi/ginkgo v1.16.5 ## explicit; go 1.16 -# github.com/openshift/api v3.9.1-0.20190924102528-32369d4db2ad+incompatible => github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17 -## explicit; go 1.19 +# github.com/openshift/api v3.9.1-0.20190924102528-32369d4db2ad+incompatible => github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af +## explicit; go 1.20 github.com/openshift/api github.com/openshift/api/apiserver github.com/openshift/api/apiserver/v1 @@ -1251,5 +1251,5 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml # bitbucket.org/ww/goautoneg => github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d -# github.com/openshift/api => github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17 +# github.com/openshift/api => github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af # k8s.io/client-go => k8s.io/client-go v0.27.2