diff --git a/go.mod b/go.mod index 2f6f0474d..28bf6bf49 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/onsi/ginkgo/v2 v2.21.0 github.com/onsi/gomega v1.35.1 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 - github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd + github.com/openshift/api v0.0.0-20260126183958-606bd613f9f7 github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 github.com/openshift/library-go v0.0.0-20260121132910-dc3a1c884c04 github.com/operator-framework/api v0.17.1 @@ -34,6 +34,8 @@ require ( k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 ) +replace github.com/openshift/library-go => github.com/JoelSpeed/library-go v0.0.0-20260130121715-6e5ccfd0da42 + require ( cel.dev/expr v0.24.0 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect diff --git a/go.sum b/go.sum index a129e4c4e..d4168621f 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= +github.com/JoelSpeed/library-go v0.0.0-20260130121715-6e5ccfd0da42 h1:uIrR1qWklQm8U7WgtSZnyxj8bxCRtzvQ9JDKWvihOCg= +github.com/JoelSpeed/library-go v0.0.0-20260130121715-6e5ccfd0da42/go.mod h1:DCRz1EgdayEmr9b6KXKDL+DWBN0rGHu/VYADeHzPoOk= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -86,12 +88,10 @@ github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 h1:hXpbYtP3iTh8oy/RKwKkcMziwchY3fIk95ciczf7cOA= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd h1:Hpjq/55Qb0Gy65RewTSWWlyxpSovaRF86EPjYQkdlRU= -github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= +github.com/openshift/api v0.0.0-20260126183958-606bd613f9f7 h1:96rhgJpWlWzKEslMd6aYFMixV9vQVY32M71JcO4Gzn0= +github.com/openshift/api v0.0.0-20260126183958-606bd613f9f7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds= github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4= -github.com/openshift/library-go v0.0.0-20260121132910-dc3a1c884c04 h1:Fm9C8pT4l6VjpdqdhI1cBX9Y3D3S+rFxptVhCPBbMAI= -github.com/openshift/library-go v0.0.0-20260121132910-dc3a1c884c04/go.mod h1:nIzWQQE49XbiKizVnVOip9CEB7HJ0hoJwNi3g3YKnKc= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 h1:AKx/w1qpS8We43bsRgf8Nll3CGlDHpr/WAXvuedTNZI= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/operator-framework/api v0.17.1 h1:J/6+Xj4IEV8C7hcirqUFwOiZAU3PbnJhWvB0/bB51c4= diff --git a/lib/manifest/manifest.go b/lib/manifest/manifest.go index 9be5d7653..a170a4c85 100644 --- a/lib/manifest/manifest.go +++ b/lib/manifest/manifest.go @@ -36,6 +36,9 @@ type InclusionConfiguration struct { // EnabledFeatureGates excludes manifests with a feature gate requirement when the condition is not met. EnabledFeatureGates sets.Set[string] + + // MajorVersion, if non-nil, excludes manifests unless they match the major version. + MajorVersion *uint64 } // GetImplicitlyEnabledCapabilities returns a set of capabilities that are implicitly enabled after a cluster update. @@ -61,6 +64,7 @@ func GetImplicitlyEnabledCapabilities( manifestInclusionConfiguration.Capabilities, manifestInclusionConfiguration.Overrides, manifestInclusionConfiguration.EnabledFeatureGates, + manifestInclusionConfiguration.MajorVersion, true, ) // update manifest is enabled, no need to check @@ -79,6 +83,7 @@ func GetImplicitlyEnabledCapabilities( manifestInclusionConfiguration.Capabilities, manifestInclusionConfiguration.Overrides, manifestInclusionConfiguration.EnabledFeatureGates, + manifestInclusionConfiguration.MajorVersion, true, ); err != nil { continue diff --git a/pkg/cvo/featuregate_integration_test.go b/pkg/cvo/featuregate_integration_test.go index 45248456b..f48f14379 100644 --- a/pkg/cvo/featuregate_integration_test.go +++ b/pkg/cvo/featuregate_integration_test.go @@ -100,7 +100,7 @@ func TestFeatureGateManifestFiltering(t *testing.T) { } // Test the manifest inclusion logic - err := manifest.Include(nil, nil, nil, nil, nil, tt.enabledGates) + err := manifest.Include(nil, nil, nil, nil, nil, tt.enabledGates, nil) if tt.shouldInclude { if err != nil { @@ -143,7 +143,7 @@ func TestSyncWorkIntegration(t *testing.T) { Obj: testObj, } - err := manifest.Include(nil, nil, nil, nil, nil, work.EnabledFeatureGates) + err := manifest.Include(nil, nil, nil, nil, nil, work.EnabledFeatureGates, nil) if err != nil { t.Errorf("Expected manifest to be included with TestGate1 enabled, got error: %v", err) } @@ -153,7 +153,7 @@ func TestSyncWorkIntegration(t *testing.T) { "release.openshift.io/feature-gate": "DisabledGate", }) - err = manifest.Include(nil, nil, nil, nil, nil, work.EnabledFeatureGates) + err = manifest.Include(nil, nil, nil, nil, nil, work.EnabledFeatureGates, nil) if err == nil { t.Error("Expected manifest to be excluded with DisabledGate not enabled, but no error occurred") } @@ -262,7 +262,7 @@ func TestManifestFilteringExamples(t *testing.T) { Obj: obj, } - err := manifest.Include(nil, nil, nil, nil, nil, example.enabledGates) + err := manifest.Include(nil, nil, nil, nil, nil, example.enabledGates, nil) if example.shouldInclude { if err != nil { diff --git a/pkg/cvo/sync_worker.go b/pkg/cvo/sync_worker.go index 8c94b1917..756d377b7 100644 --- a/pkg/cvo/sync_worker.go +++ b/pkg/cvo/sync_worker.go @@ -446,7 +446,7 @@ func (w *SyncWorker) syncPayload(ctx context.Context, work *SyncWork) ([]configv if w.payload != nil { implicitlyEnabledCaps = capability.SortedList(payload.GetImplicitlyEnabledCapabilities(payloadUpdate.Manifests, w.payload.Manifests, - work.Capabilities, work.EnabledFeatureGates)) + work.Capabilities, work.EnabledFeatureGates, w.payload.MajorVersion)) } w.payload = payloadUpdate @@ -1065,7 +1065,7 @@ func (w *SyncWorker) apply(ctx context.Context, work *SyncWork, maxWorkers int, if task.Manifest.GVK != configv1.GroupVersion.WithKind("ClusterOperator") { continue } - if err := task.Manifest.Include(nil, nil, nil, &capabilities, work.Overrides, work.EnabledFeatureGates); err != nil { + if err := task.Manifest.Include(nil, nil, nil, &capabilities, work.Overrides, work.EnabledFeatureGates, payloadUpdate.MajorVersion); err != nil { klog.V(manifestVerbosity).Infof("Skipping precreation of %s: %s", task, err) continue } @@ -1085,7 +1085,7 @@ func (w *SyncWorker) apply(ctx context.Context, work *SyncWork, maxWorkers int, klog.V(manifestVerbosity).Infof("Running sync for %s", task) - if err := task.Manifest.Include(nil, nil, nil, &capabilities, work.Overrides, work.EnabledFeatureGates); err != nil { + if err := task.Manifest.Include(nil, nil, nil, &capabilities, work.Overrides, work.EnabledFeatureGates, payloadUpdate.MajorVersion); err != nil { klog.V(manifestVerbosity).Infof("Skipping %s: %s", task, err) continue } diff --git a/pkg/payload/payload.go b/pkg/payload/payload.go index 1314cdca1..561498146 100644 --- a/pkg/payload/payload.go +++ b/pkg/payload/payload.go @@ -13,6 +13,7 @@ import ( "time" "k8s.io/klog/v2" + "k8s.io/utils/ptr" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/sets" @@ -110,6 +111,7 @@ type Update struct { ImageRef *imagev1.ImageStream Architecture string + MajorVersion *uint64 // manifestHash is a hash of the manifests included in this payload ManifestHash string @@ -211,7 +213,7 @@ func LoadUpdate(dir, releaseImage, excludeIdentifier string, requiredFeatureSet filteredMs := []manifest.Manifest{} for _, manifest := range ms { - if err := manifest.Include(&excludeIdentifier, &requiredFeatureSet, &profile, onlyKnownCaps, nil, enabledFeatureGates); err != nil { + if err := manifest.Include(&excludeIdentifier, &requiredFeatureSet, &profile, onlyKnownCaps, nil, enabledFeatureGates, payload.MajorVersion); err != nil { klog.V(2).Infof("excluding %s: %v\n", manifest.String(), err) continue } @@ -243,12 +245,12 @@ func LoadUpdate(dir, releaseImage, excludeIdentifier string, requiredFeatureSet // the current payload the updated manifest's capabilities are checked to see if any must be implicitly enabled. // All capabilities requiring implicit enablement are returned. func GetImplicitlyEnabledCapabilities(updatePayloadManifests []manifest.Manifest, currentPayloadManifests []manifest.Manifest, - capabilities capability.ClusterCapabilities, enabledFeatureGates sets.Set[string]) sets.Set[configv1.ClusterVersionCapability] { + capabilities capability.ClusterCapabilities, enabledFeatureGates sets.Set[string], majorVersion *uint64) sets.Set[configv1.ClusterVersionCapability] { clusterCaps := capability.GetCapabilitiesStatus(capabilities) return localmanifest.GetImplicitlyEnabledCapabilities( updatePayloadManifests, currentPayloadManifests, - localmanifest.InclusionConfiguration{Capabilities: &clusterCaps, EnabledFeatureGates: enabledFeatureGates}, + localmanifest.InclusionConfiguration{Capabilities: &clusterCaps, EnabledFeatureGates: enabledFeatureGates, MajorVersion: majorVersion}, capabilities.ImplicitlyEnabled, ) } @@ -284,6 +286,11 @@ func loadPayloadMetadata(releaseDir, releaseImage string) (*Update, error) { klog.V(2).Infof("Architecture from %s (%s) retrieved from runtime: %q", cincinnatiJSONFile, release.Version, arch) } + parsedVersion, err := semver.Parse(release.Version) + if err != nil { + return nil, fmt.Errorf("failed to parse release version %s: %w", release.Version, err) + } + release.Image = releaseImage imageRef, err := loadImageReferences(releaseDir) @@ -299,6 +306,7 @@ func loadPayloadMetadata(releaseDir, releaseImage string) (*Update, error) { Release: release, ImageRef: imageRef, Architecture: arch, + MajorVersion: ptr.To(parsedVersion.Major), }, nil } diff --git a/pkg/payload/payload_test.go b/pkg/payload/payload_test.go index 21730fd23..0e49f0ecf 100644 --- a/pkg/payload/payload_test.go +++ b/pkg/payload/payload_test.go @@ -15,6 +15,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" + "k8s.io/utils/ptr" configv1 "github.com/openshift/api/config/v1" imagev1 "github.com/openshift/api/image/v1" @@ -66,6 +67,7 @@ func TestLoadUpdate(t *testing.T) { }, }, Architecture: architecture, + MajorVersion: ptr.To(uint64(1)), ManifestHash: "DL-FFQ2Uem8=", Manifests: []manifest.Manifest{ { @@ -177,6 +179,7 @@ func TestLoadUpdateArchitecture(t *testing.T) { }, }, Architecture: "Multi", + MajorVersion: ptr.To(uint64(1)), ManifestHash: "fvnVhLw92pE=", Manifests: []manifest.Manifest{ { @@ -365,7 +368,7 @@ func TestGetImplicitlyEnabledCapabilities(t *testing.T) { if tt.pathExt == "test10" { updateMans = append(updateMans, updateMans[0]) } - caps := GetImplicitlyEnabledCapabilities(updateMans, currentMans, tt.capabilities, sets.Set[string]{}) + caps := GetImplicitlyEnabledCapabilities(updateMans, currentMans, tt.capabilities, sets.Set[string]{}, nil) if diff := cmp.Diff(tt.wantImplicit, caps); diff != "" { t.Errorf("%s: wantImplicit differs from expected:\n%s", tt.name, diff) } diff --git a/pkg/payload/render.go b/pkg/payload/render.go index e1c22e625..6902fa6b3 100644 --- a/pkg/payload/render.go +++ b/pkg/payload/render.go @@ -2,12 +2,14 @@ package payload import ( "bytes" + "encoding/json" "fmt" "os" "path/filepath" "strings" "text/template" + "github.com/blang/semver/v4" "github.com/openshift/api/config" configv1 "github.com/openshift/api/config/v1" "github.com/openshift/library-go/pkg/manifest" @@ -40,6 +42,11 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str return fmt.Errorf("error parsing feature gate manifest: %w", err) } + payloadVersion, err := loadReleaseVersion(releaseManifestsDir) + if err != nil { + return fmt.Errorf("error loading release version: %w", err) + } + tasks := []struct { idir string odir string @@ -70,7 +77,7 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str }} var errs []error for _, task := range tasks { - if err := renderDir(renderConfig, task.idir, task.odir, requiredFeatureSet, enabledFeatureGates, &clusterProfile, task.processTemplate, task.skipFiles, task.filterGroupKind); err != nil { + if err := renderDir(renderConfig, task.idir, task.odir, requiredFeatureSet, enabledFeatureGates, &clusterProfile, ptr.To(payloadVersion.Major), task.processTemplate, task.skipFiles, task.filterGroupKind); err != nil { errs = append(errs, err) } } @@ -82,8 +89,8 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str return nil } -func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFeatureSet *string, enabledFeatureGates sets.Set[string], clusterProfile *string, processTemplate bool, skipFiles sets.Set[string], filterGroupKind sets.Set[schema.GroupKind]) error { - klog.Infof("Filtering manifests in %s for feature set %v, cluster profile %v and enabled feature gates %v", idir, *requiredFeatureSet, *clusterProfile, enabledFeatureGates.UnsortedList()) +func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFeatureSet *string, enabledFeatureGates sets.Set[string], clusterProfile *string, majorVersion *uint64, processTemplate bool, skipFiles sets.Set[string], filterGroupKind sets.Set[schema.GroupKind]) error { + klog.Infof("Filtering manifests in %s for feature set %v, cluster profile %v, enabled feature gates %v, and major version %v", idir, *requiredFeatureSet, *clusterProfile, enabledFeatureGates.UnsortedList(), ptr.Deref(majorVersion, 0)) if err := os.MkdirAll(odir, 0666); err != nil { return err @@ -133,7 +140,7 @@ func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFea for _, manifest := range manifests { if len(filterGroupKind) > 0 && !filterGroupKind.Has(manifest.GVK.GroupKind()) { klog.Infof("excluding %s because we do not render that group/kind", manifest.String()) - } else if err := manifest.Include(nil, requiredFeatureSet, clusterProfile, nil, nil, enabledFeatureGates); err != nil { + } else if err := manifest.Include(nil, requiredFeatureSet, clusterProfile, nil, nil, enabledFeatureGates, majorVersion); err != nil { klog.Infof("excluding %s: %v", manifest.String(), err) } else { filteredManifests = append(filteredManifests, string(manifest.Raw)) @@ -238,3 +245,27 @@ func parseFeatureGateManifest(featureGateManifestPath string) (*string, sets.Set return requiredFeatureSet, enabledFeatureGates, nil } + +func loadReleaseVersion(releaseDir string) (semver.Version, error) { + path := filepath.Join(releaseDir, cincinnatiJSONFile) + data, err := os.ReadFile(path) + if err != nil { + return semver.Version{}, err + } + + var metadata metadata + if err := json.Unmarshal(data, &metadata); err != nil { + return semver.Version{}, fmt.Errorf("unmarshal Cincinnati metadata: %w", err) + } + + if metadata.Version == "" { + return semver.Version{}, errors.New("missing required Cincinnati metadata version") + } + + parsedVersion, err := semver.Parse(metadata.Version) + if err != nil { + return semver.Version{}, fmt.Errorf("Cincinnati metadata version %q is not a valid semantic version: %v", metadata.Version, err) + } + + return parsedVersion, nil +} diff --git a/pkg/payload/render_test.go b/pkg/payload/render_test.go index efaafc427..0303855c7 100644 --- a/pkg/payload/render_test.go +++ b/pkg/payload/render_test.go @@ -6,6 +6,9 @@ import ( "testing" "github.com/google/go-cmp/cmp" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/ptr" ) func TestRenderManifest(t *testing.T) { @@ -58,3 +61,242 @@ func TestRenderManifest(t *testing.T) { }) } } + +func TestRenderDirWithMajorVersionFiltering(t *testing.T) { + tests := []struct { + name string + manifests []testManifest + majorVersion *uint64 + expectedInclusions []string // Names of manifests that should be included + expectedExclusions []string // Names of manifests that should be excluded + }{ + { + name: "major version 4 includes version 4 manifests", + manifests: []testManifest{ + { + name: "version4-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "4", + }, + }, + { + name: "version5-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "5", + }, + }, + { + name: "no-version-manifest", + annotations: map[string]string{}, + }, + }, + majorVersion: ptr.To(uint64(4)), + expectedInclusions: []string{"version4-manifest", "no-version-manifest"}, + expectedExclusions: []string{"version5-manifest"}, + }, + { + name: "major version 5 includes version 5 manifests", + manifests: []testManifest{ + { + name: "version4-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "4", + }, + }, + { + name: "version5-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "5", + }, + }, + }, + majorVersion: ptr.To(uint64(5)), + expectedInclusions: []string{"version5-manifest"}, + expectedExclusions: []string{"version4-manifest"}, + }, + { + name: "nil major version includes all manifests", + manifests: []testManifest{ + { + name: "version4-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "4", + }, + }, + { + name: "version5-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "5", + }, + }, + }, + majorVersion: nil, + expectedInclusions: []string{"version4-manifest", "version5-manifest"}, + expectedExclusions: []string{}, + }, + { + name: "exclusion filtering with major version", + manifests: []testManifest{ + { + name: "not-for-version3-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "-3", + }, + }, + { + name: "only-for-version4-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "4", + }, + }, + }, + majorVersion: ptr.To(uint64(4)), + expectedInclusions: []string{"not-for-version3-manifest", "only-for-version4-manifest"}, + expectedExclusions: []string{}, + }, + { + name: "complex major version filtering", + manifests: []testManifest{ + { + name: "version4-or-5-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "4,5", + }, + }, + { + name: "exclude-version3-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "-3", + }, + }, + { + name: "version6-only-manifest", + annotations: map[string]string{ + "release.openshift.io/major-version": "6", + }, + }, + }, + majorVersion: ptr.To(uint64(4)), + expectedInclusions: []string{"version4-or-5-manifest", "exclude-version3-manifest"}, + expectedExclusions: []string{"version6-only-manifest"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Create temporary directory structure + tempDir := t.TempDir() + inputDir := tempDir + "/input" + outputDir := tempDir + "/output" + + if err := os.MkdirAll(inputDir, 0755); err != nil { + t.Fatalf("failed to create input directory: %v", err) + } + if err := os.MkdirAll(outputDir, 0755); err != nil { + t.Fatalf("failed to create output directory: %v", err) + } + + // Write test manifests to input directory + for _, manifest := range tt.manifests { + manifestContent := createTestManifestYAML("apiextensions.k8s.io/v1", "CustomResourceDefinition", manifest.name, manifest.annotations) + manifestPath := inputDir + "/" + manifest.name + ".yaml" + if err := os.WriteFile(manifestPath, []byte(manifestContent), 0644); err != nil { + t.Fatalf("failed to write manifest %s: %v", manifest.name, err) + } + } + + // Setup render configuration + renderConfig := manifestRenderConfig{ + ReleaseImage: "test-image:latest", + ClusterProfile: "test-profile", + } + + requiredFeatureSet := "test" + enabledFeatureGates := sets.Set[string]{} + clusterProfile := "test-profile" + + // Call renderDir with major version + err := renderDir( + renderConfig, + inputDir, + outputDir, + &requiredFeatureSet, + enabledFeatureGates, + &clusterProfile, + tt.majorVersion, + false, // processTemplate + sets.Set[string]{}, // skipFiles + sets.Set[schema.GroupKind]{}, // filterGroupKind + ) + + if err != nil { + t.Fatalf("renderDir failed: %v", err) + } + + // Check which manifests were included in output + outputFiles, err := os.ReadDir(outputDir) + if err != nil { + t.Fatalf("failed to read output directory: %v", err) + } + + includedManifests := make(map[string]bool) + for _, file := range outputFiles { + if strings.HasSuffix(file.Name(), ".yaml") { + manifestName := strings.TrimSuffix(file.Name(), ".yaml") + includedManifests[manifestName] = true + } + } + + // Verify expected inclusions + for _, expectedName := range tt.expectedInclusions { + if !includedManifests[expectedName] { + t.Errorf("Expected manifest %s to be included, but it was not found in output", expectedName) + } + } + + // Verify expected exclusions + for _, expectedExcludedName := range tt.expectedExclusions { + if includedManifests[expectedExcludedName] { + t.Errorf("Expected manifest %s to be excluded, but it was found in output", expectedExcludedName) + } + } + }) + } +} + +// testManifest represents a test manifest with its annotations +type testManifest struct { + name string + annotations map[string]string +} + +// createTestManifestYAML creates a YAML representation of a test manifest +func createTestManifestYAML(apiVersion, kind, name string, annotations map[string]string) string { + yaml := `apiVersion: ` + apiVersion + ` +kind: ` + kind + ` +metadata: + name: ` + name + ` + namespace: test-namespace` + + // Always add required cluster profile annotation + allAnnotations := make(map[string]string) + allAnnotations["include.release.openshift.io/test-profile"] = "true" + + // Add provided annotations + for k, v := range annotations { + allAnnotations[k] = v + } + + if len(allAnnotations) > 0 { + yaml += "\n annotations:" + for k, v := range allAnnotations { + yaml += "\n " + k + ": \"" + v + "\"" + } + } + + yaml += ` +data: + test: "data"` + + return yaml +} diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 0afe7b1d8..31d888185 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -212,6 +212,7 @@ type APIServerEncryption struct { // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index e300d4eab..e7433281f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -80,8 +80,7 @@ type AuthenticationSpec struct { // +optional ServiceAccountIssuer string `json:"serviceAccountIssuer"` - // oidcProviders are OIDC identity providers that can issue tokens - // for this cluster + // oidcProviders are OIDC identity providers that can issue tokens for this cluster // Can only be set if "Type" is set to "OIDC". // // At most one provider can be configured. @@ -113,8 +112,7 @@ type AuthenticationStatus struct { // +optional IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"` - // oidcClients is where participating operators place the current OIDC client status - // for OIDC clients that can be customized by the cluster-admin. + // oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. // // +listType=map // +listMapKey=componentNamespace @@ -146,8 +144,7 @@ type AuthenticationType string const ( // None means that no cluster managed authentication system is in place. - // Note that user login will only work if a manually configured system is in place and - // referenced in authentication spec via oauthMetadata and + // Note that user login will only work if a manually configured system is in place and referenced in authentication spec via oauthMetadata and // webhookTokenAuthenticator/oidcProviders AuthenticationTypeNone AuthenticationType = "None" @@ -199,10 +196,8 @@ const ( ) type OIDCProvider struct { - // name is a required field that configures the unique human-readable identifier - // associated with the identity provider. - // It is used to distinguish between multiple identity providers - // and has no impact on token validation or authentication mechanics. + // name is a required field that configures the unique human-readable identifier associated with the identity provider. + // It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. // // name must not be an empty string (""). // @@ -210,15 +205,12 @@ type OIDCProvider struct { // +required Name string `json:"name"` - // issuer is a required field that configures how the platform interacts - // with the identity provider and how tokens issued from the identity provider - // are evaluated by the Kubernetes API server. + // issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients is an optional field that configures how on-cluster, - // platform clients should request tokens from the identity provider. + // oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map @@ -228,16 +220,12 @@ type OIDCProvider struct { // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings is a required field that configures the rules to be used by - // the Kubernetes API server for translating claims in a JWT token, issued - // by the identity provider, to a cluster identity. + // claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity. // // +required ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules is an optional field that configures the rules to - // be used by the Kubernetes API server for validating the claims in a JWT - // token issued by the identity provider. + // claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. // // Validation rules are joined via an AND operation. // @@ -245,9 +233,7 @@ type OIDCProvider struct { // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` - // userValidationRules is an optional field that configures the set of rules - // used to validate the cluster user identity that was constructed via - // mapping token claims to user identity attributes. + // userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. // Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. // If any rule in the chain of rules evaluates to 'false', authentication will fail. // When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -266,10 +252,8 @@ type TokenAudience string // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL" type TokenIssuer struct { - // issuerURL is a required field that configures the URL used to issue tokens - // by the identity provider. - // The Kubernetes API server determines how authentication tokens should be handled - // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. // // Must be at least 1 character and must not exceed 512 characters in length. // Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -284,8 +268,7 @@ type TokenIssuer struct { // +required URL string `json:"issuerURL"` - // audiences is a required field that configures the acceptable audiences - // the JWT token, issued by the identity provider, must be issued to. + // audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. // At least one of the entries must match the 'aud' claim in the JWT token. // // audiences must contain at least one entry and must not exceed ten entries. @@ -296,24 +279,20 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // issuerCertificateAuthority is an optional field that configures the - // certificate authority, used by the Kubernetes API server, to validate - // the connection to the identity provider when fetching discovery information. + // issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. // // When not specified, the system trust is used. // - // When specified, it must reference a ConfigMap in the openshift-config - // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - // key in the data field of the ConfigMap. + // When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` - // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - // used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - // as "{issuerURL}/.well-known/openid-configuration". + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + // By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". // - // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - // parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + // The discoveryURL must be a valid absolute HTTPS URL. + // It must not contain query parameters, user information, or fragments. + // Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). // The discoveryURL value must be at least 1 character long and no longer than 2048 characters. // // +optional @@ -329,39 +308,36 @@ type TokenIssuer struct { } type TokenClaimMappings struct { - // username is a required field that configures how the username of a cluster identity - // should be constructed from the claims in a JWT token issued by the identity provider. + // username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. // // +required Username UsernameClaimMapping `json:"username"` - // groups is an optional field that configures how the groups of a cluster identity - // should be constructed from the claims in a JWT token issued - // by the identity provider. - // When referencing a claim, if the claim is present in the JWT - // token, its value must be a list of groups separated by a comma (','). + // groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + // + // When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + // // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. // // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` - // uid is an optional field for configuring the claim mapping - // used to construct the uid for the cluster identity. + // uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. // // When using uid.claim to specify the claim it must be a single string value. // When using uid.expression the expression must result in a single string value. // - // When omitted, this means the user has no opinion and the platform - // is left to choose a default, which is subject to change over time. + // When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + // // The current default is to use the 'sub' claim. // // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` - // extra is an optional field for configuring the mappings - // used to construct the extra attribute for the cluster identity. + // extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. // When omitted, no extra attributes will be present on the cluster identity. + // // key values for extra mappings must be unique. // A maximum of 32 extra attribute mappings may be provided. // @@ -373,52 +349,39 @@ type TokenClaimMappings struct { Extra []ExtraMapping `json:"extra,omitempty"` } -// TokenClaimMapping allows specifying a JWT token -// claim to be used when mapping claims from an -// authentication token to cluster identities. +// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // +required Claim string `json:"claim"` } -// TokenClaimOrExpressionMapping allows specifying either a JWT -// token claim or CEL expression to be used when mapping claims -// from an authentication token to cluster identities. +// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities. // +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" type TokenClaimOrExpressionMapping struct { - // claim is an optional field for specifying the - // JWT token claim that is used in the mapping. - // The value of this claim will be assigned to - // the field in which this mapping is associated. + // claim is an optional field for specifying the JWT token claim that is used in the mapping. + // The value of this claim will be assigned to the field in which this mapping is associated. // // Precisely one of claim or expression must be set. // claim must not be specified when expression is set. - // When specified, claim must be at least 1 character in length - // and must not exceed 256 characters in length. + // When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. // // +optional // +kubebuilder:validation:MaxLength=256 // +kubebuilder:validation:MinLength=1 Claim string `json:"claim,omitempty"` - // expression is an optional field for specifying a - // CEL expression that produces a string value from - // JWT token claims. + // expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). // // Precisely one of claim or expression must be set. // expression must not be specified when claim is set. - // When specified, expression must be at least 1 character in length - // and must not exceed 1024 characters in length. + // When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. // // +optional // +kubebuilder:validation:MaxLength=1024 @@ -426,13 +389,10 @@ type TokenClaimOrExpressionMapping struct { Expression string `json:"expression,omitempty"` } -// ExtraMapping allows specifying a key and CEL expression -// to evaluate the keys' value. It is used to create additional -// mappings and attributes added to a cluster identity from -// a provided authentication token. +// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. +// It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. type ExtraMapping struct { - // key is a required field that specifies the string - // to use as the extra attribute key. + // key is a required field that specifies the string to use as the extra attribute key. // // key must be a domain-prefix path (e.g 'example.org/foo'). // key must not exceed 510 characters in length. @@ -445,8 +405,7 @@ type ExtraMapping struct { // It must only contain lower case alphanumeric characters and '-' or '.'. // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". // - // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. // It must not exceed 256 characters in length. // // +required @@ -468,14 +427,12 @@ type ExtraMapping struct { // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" Key string `json:"key"` - // valueExpression is a required field to specify the CEL expression to extract - // the extra attribute value from a JWT token's claims. + // valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. // valueExpression must produce a string or string array value. // "", [], and null are treated as the extra mapping not being present. // Empty string values within an array are filtered out. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -489,12 +446,10 @@ type ExtraMapping struct { ValueExpression string `json:"valueExpression"` } -// OIDCClientConfig configures how platform clients -// interact with identity providers as an authentication -// method +// OIDCClientConfig configures how platform clients interact with identity providers as an authentication method. type OIDCClientConfig struct { - // componentName is a required field that specifies the name of the platform - // component being configured to use the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + // // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -504,9 +459,8 @@ type OIDCClientConfig struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component being configured to use the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -516,11 +470,8 @@ type OIDCClientConfig struct { // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is a required field that configures the client identifier, from - // the identity provider, that the platform component uses for authentication - // requests made to the identity provider. - // The identity provider must accept this identifier for platform components - // to be able to use the identity provider as an authentication mode. + // clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + // The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. // // clientID must not be an empty string (""). // @@ -528,27 +479,21 @@ type OIDCClientConfig struct { // +required ClientID string `json:"clientID"` - // clientSecret is an optional field that configures the client secret used - // by the platform component when making authentication requests to the identity provider. + // clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests to the identity provider. // - // When not specified, no client secret will be used when making authentication requests - // to the identity provider. + // When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // - // When specified, clientSecret references a Secret in the 'openshift-config' - // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // The client secret will be used when making authentication requests to the identity provider. // - // Public clients do not require a client secret but private - // clients do require a client secret to work with the identity provider. + // Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. // // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional field that configures the extra scopes that should - // be requested by the platform component when making authentication requests to the - // identity provider. - // This is useful if you have configured claim mappings that requires specific - // scopes to be requested beyond the standard OIDC scopes. + // extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + // This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. // // When omitted, no additional scopes are requested. // @@ -561,8 +506,7 @@ type OIDCClientConfig struct { // of platform components and how they interact with // the configured identity providers. type OIDCClientStatus struct { - // componentName is a required field that specifies the name of the platform - // component using the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -572,9 +516,8 @@ type OIDCClientStatus struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component using the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -585,6 +528,7 @@ type OIDCClientStatus struct { ComponentNamespace string `json:"componentNamespace"` // currentOIDCClients is an optional list of clients that the component is currently using. + // // Entries must have unique issuerURL/clientID pairs. // // +listType=map @@ -593,8 +537,7 @@ type OIDCClientStatus struct { // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is an optional list of ServiceAccounts requiring - // read permissions on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. // // consumingUsers must not exceed 5 entries. // @@ -620,8 +563,7 @@ type OIDCClientStatus struct { // OIDCClientReference is a reference to a platform component // client configuration. type OIDCClientReference struct { - // oidcProviderName is a required reference to the 'name' of the identity provider - // configured in 'oidcProviders' that this client is associated with. + // oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. // // oidcProviderName must not be an empty string (""). // @@ -629,8 +571,7 @@ type OIDCClientReference struct { // +required OIDCProviderName string `json:"oidcProviderName"` - // issuerURL is a required field that specifies the URL of the identity - // provider that this client is configured to make requests against. + // issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. // // issuerURL must use the 'https' scheme. // @@ -638,9 +579,7 @@ type OIDCClientReference struct { // +required IssuerURL string `json:"issuerURL"` - // clientID is a required field that specifies the client identifier, from - // the identity provider, that the platform component is using for authentication - // requests made to the identity provider. + // clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. // // clientID must not be empty. // @@ -652,9 +591,7 @@ type OIDCClientReference struct { // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" // +union type UsernameClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // claim must not be an empty string ("") and must not exceed 256 characters. // @@ -663,23 +600,21 @@ type UsernameClaimMapping struct { // +kubebuilder:validation:MaxLength:=256 Claim string `json:"claim"` - // prefixPolicy is an optional field that configures how a prefix should be - // applied to the value of the JWT claim specified in the 'claim' field. + // prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. // // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // When set to 'Prefix', the value specified in the prefix field will be - // prepended to the value of the JWT claim. + // When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + // // The prefix field must be set when prefixPolicy is 'Prefix'. // - // When set to 'NoPrefix', no prefix will be prepended to the value - // of the JWT claim. + // When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + // + // When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. // - // When omitted, this means no opinion and the platform is left to choose - // any prefixes that are applied which is subject to change over time. - // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - // when the claim is not 'email'. // As an example, consider the following scenario: + // // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", // and `claim` is set to: @@ -691,8 +626,7 @@ type UsernameClaimMapping struct { // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` - // prefix configures the prefix that should be prepended to the value - // of the JWT claim. + // prefix configures the prefix that should be prepended to the value of the JWT claim. // // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. // @@ -701,9 +635,7 @@ type UsernameClaimMapping struct { Prefix *UsernamePrefix `json:"prefix"` } -// UsernamePrefixPolicy configures how prefixes should be applied -// to values extracted from the JWT claims during the process of mapping -// JWT claims to cluster identity attributes. +// UsernamePrefixPolicy configures how prefixes should be applied to values extracted from the JWT claims during the process of mapping JWT claims to cluster identity attributes. // +enum type UsernamePrefixPolicy string @@ -722,9 +654,7 @@ var ( // UsernamePrefix configures the string that should // be used as a prefix for username claim mappings. type UsernamePrefix struct { - // prefixString is a required field that configures the prefix that will - // be applied to cluster identity username attribute - // during the process of mapping JWT claims to cluster identity attributes. + // prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. // // prefixString must not be an empty string (""). // @@ -738,15 +668,11 @@ type UsernamePrefix struct { type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is an optional field that configures the prefix that will be - // applied to the cluster identity attribute during the process of mapping - // JWT claims to cluster identity attributes. + // prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. // // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - // an array of strings "a", "b" and "c", the mapping will result in an - // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". // // +optional Prefix string `json:"prefix"` @@ -780,19 +706,15 @@ type TokenClaimValidationRule struct { // // Allowed values are "RequiredClaim" and "CEL". // - // When set to 'RequiredClaim', the Kubernetes API server will be configured - // to validate that the incoming JWT contains the required claim and that its - // value matches the required value. + // When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. // - // When set to 'CEL', the Kubernetes API server will be configured - // to validate the incoming JWT against the configured CEL expression. + // When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. // +required Type TokenValidationRuleType `json:"type"` // requiredClaim allows configuring a required claim name and its expected value. - // This field is required when `type` is set to RequiredClaim, and must be omitted - // when `type` is set to any other value. The Kubernetes API server uses this field - // to validate if an incoming JWT is valid for this identity provider. + // This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + // The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. // // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` @@ -814,10 +736,8 @@ type TokenRequiredClaim struct { // +required Claim string `json:"claim"` - // requiredValue is a required field that configures the value that 'claim' must - // have when taken from the incoming JWT claims. - // If the value in the JWT claims does not match, the token - // will be rejected for authentication. + // requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token will be rejected for authentication. // // requiredValue must not be an empty string (""). // @@ -836,8 +756,7 @@ type TokenClaimValidationCELRule struct { // +required Expression string `json:"expression,omitempty"` - // message is a required human-readable message to be logged by the Kubernetes API server - // if the CEL expression defined in 'expression' fails. + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. // message must be at least 1 character in length and must not exceed 256 characters. // +required // +kubebuilder:validation:MinLength=1 @@ -848,8 +767,8 @@ type TokenClaimValidationCELRule struct { // TokenUserValidationRule provides a CEL-based rule used to validate a token subject. // Each rule contains a CEL expression that is evaluated against the token’s claims. type TokenUserValidationRule struct { - // expression is a required CEL expression that performs a validation - // on cluster user identity attributes like username, groups, etc. + // expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + // // The expression must evaluate to a boolean value. // When the expression evaluates to 'true', the cluster user identity is considered valid. // When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -859,8 +778,7 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 Expression string `json:"expression,omitempty"` - // message is a required human-readable message to be logged by the Kubernetes API server - // if the CEL expression defined in 'expression' fails. + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. // message must be at least 1 character in length and must not exceed 256 characters. // +required // +kubebuilder:validation:MinLength=1 diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 313ed57a4..369ba1e7a 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -302,9 +302,10 @@ type PlatformSpec struct { // balancers, dynamic volume provisioning, machine creation and deletion, and // other integrations are enabled. If None, no infrastructure automation is // enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - // "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - // "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - // and must handle unrecognized platforms as None if they do not support that platform. + // "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + // "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + // components may not support all platforms, and must handle unrecognized + // platforms as None if they do not support that platform. // // +unionDiscriminator Type PlatformType `json:"type"` diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6206ad77a..d436a75b8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,69 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -244,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 7476fd465..e3c2202ea 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -71,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -187,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -266,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -301,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +315,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -368,8 +339,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -381,9 +351,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -395,10 +364,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -413,12 +380,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +402,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +422,12 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +445,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +460,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,50 +490,39 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +533,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +543,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +553,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +574,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +585,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +596,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -793,9 +732,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -804,8 +743,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +752,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +830,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +846,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +855,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index 5d93d98cc..64b650232 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -71,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -187,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -266,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -301,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +315,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +327,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -370,10 +340,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -388,12 +356,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +373,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +393,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +408,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,50 +433,39 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +476,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +486,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +496,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -693,9 +636,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -704,8 +647,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +656,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +734,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +750,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +759,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 1a6afefa6..2f4c3180d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -71,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -187,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -266,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -301,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +315,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -368,8 +339,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -381,9 +351,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -395,10 +364,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -413,12 +380,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +402,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +422,12 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +445,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +460,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,50 +490,39 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +533,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +543,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +553,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +574,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +585,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +596,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -793,9 +732,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -804,8 +743,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +752,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +830,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +846,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +855,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index 5233cc52f..2aff1f514 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -71,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -187,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -266,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -301,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +315,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +327,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -370,10 +340,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -388,12 +356,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +373,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +393,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +408,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,50 +433,39 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +476,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +486,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +496,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -693,9 +636,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -704,8 +647,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +656,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +734,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +750,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +759,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 60698312a..11281f286 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -71,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -187,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -266,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -301,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +315,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -368,8 +339,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -381,9 +351,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -395,10 +364,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -413,12 +380,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +402,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +422,12 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +445,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +460,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,50 +490,39 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +533,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +543,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +553,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +574,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +585,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +596,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -793,9 +732,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -804,8 +743,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +752,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +830,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +846,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +855,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index 7d200f4d6..9086d4a57 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 4ecbc18e9..803c48a1e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -562,9 +562,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 7308c87b8..de1a68c90 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml index ed9fb2c3b..245bc3ea6 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml @@ -562,9 +562,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index f14dd3abe..c45b7d6e8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 5d4794e4b..576fd510c 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -6,6 +6,7 @@ apiservers.config.openshift.io: Capability: "" Category: "" FeatureGates: + - KMSEncryption - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index e7bc0aebb..7f0018950 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -407,11 +407,11 @@ func (ExtraMapping) SwaggerDoc() map[string]string { } var map_OIDCClientConfig = map[string]string{ - "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", - "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", - "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } @@ -433,8 +433,8 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { var map_OIDCClientStatus = map[string]string{ "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", - "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -458,7 +458,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string { var map_PrefixedClaimMapping = map[string]string{ "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -476,9 +476,9 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { var map_TokenClaimMappings = map[string]string{ "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", - "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", - "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", - "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { @@ -519,7 +519,7 @@ var map_TokenIssuer = map[string]string{ "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", - "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", + "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -537,7 +537,7 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { var map_TokenUserValidationRule = map[string]string{ "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.", - "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", } @@ -547,7 +547,7 @@ func (TokenUserValidationRule) SwaggerDoc() map[string]string { var map_UsernameClaimMapping = map[string]string{ "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } @@ -1924,7 +1924,7 @@ func (OvirtPlatformStatus) SwaggerDoc() map[string]string { var map_PlatformSpec = map[string]string{ "": "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.", - "type": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", + "type": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", "aws": "aws contains settings specific to the Amazon Web Services infrastructure provider.", "azure": "azure contains settings specific to the Azure infrastructure provider.", "gcp": "gcp contains settings specific to the Google Cloud Platform infrastructure provider.", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go index 77df372d4..0f3da5184 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go @@ -93,7 +93,7 @@ type EtcdBackupSpec struct { PVCName string `json:"pvcName"` } -// RetentionType is the enumeration of valid retention policy types +// RetentionType is the enumeration of valid retention policy types. // +enum // +kubebuilder:validation:Enum:="RetentionNumber";"RetentionSize" type RetentionType string @@ -115,7 +115,6 @@ type RetentionPolicy struct { // The current default is RetentionNumber with 15 backups kept. // +unionDiscriminator // +required - // +kubebuilder:validation:Enum:="";"RetentionNumber";"RetentionSize" RetentionType RetentionType `json:"retentionType"` // retentionNumber configures the retention policy based on the number of backups diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 289cf106b..de21ab393 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -212,12 +212,12 @@ var ( mustRegister() FeatureGateEVPN = newFeatureGate("EVPN"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("jcaamano"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1862"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("jcaamano"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1862"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). @@ -671,9 +671,17 @@ var ( contactPerson("swghosh"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1682"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGateKMSEncryption = newFeatureGate("KMSEncryption"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("ardaguclu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1900"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter"). reportProblemsToJiraComponent("Two Node with Arbiter"). contactPerson("eggfoobar"). @@ -969,4 +977,20 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1882"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateClusterAPIControlPlaneInstall = newFeatureGate("ClusterAPIControlPlaneInstall"). + reportProblemsToJiraComponent("Installer / openshift-installer"). + contactPerson("patrickdillon"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGateClusterAPIComputeInstall = newFeatureGate("ClusterAPIComputeInstall"). + reportProblemsToJiraComponent("Installer / openshift-installer"). + contactPerson("patrickdillon"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/library-go/pkg/manifest/manifest.go b/vendor/github.com/openshift/library-go/pkg/manifest/manifest.go index 80ccf12d8..550ff017d 100644 --- a/vendor/github.com/openshift/library-go/pkg/manifest/manifest.go +++ b/vendor/github.com/openshift/library-go/pkg/manifest/manifest.go @@ -7,6 +7,7 @@ import ( "os" "path/filepath" "reflect" + "strconv" "strings" "k8s.io/apimachinery/pkg/util/sets" @@ -23,10 +24,11 @@ import ( ) const ( - CapabilityAnnotation = "capability.openshift.io/name" - DefaultClusterProfile = "self-managed-high-availability" - featureSetAnnotation = "release.openshift.io/feature-set" - featureGateAnnotation = "release.openshift.io/feature-gate" + CapabilityAnnotation = "capability.openshift.io/name" + DefaultClusterProfile = "self-managed-high-availability" + featureSetAnnotation = "release.openshift.io/feature-set" + featureGateAnnotation = "release.openshift.io/feature-gate" + majorVersionAnnotation = "release.openshift.io/major-version" ) var knownFeatureSets = sets.Set[string]{} @@ -232,12 +234,69 @@ func checkFeatureGates(enabledGates sets.Set[string], annotations map[string]str return nil } +// checkMajorVersion validates if manifest should be included based on major version requirements +func checkMajorVersion(gvk schema.GroupVersionKind, clusterMajorVersion uint64, annotations map[string]string) error { + if annotations == nil { + return nil // No annotations, include by default + } + majorVersionRequirements, ok := annotations[majorVersionAnnotation] + if !ok { + return nil // No requirements, include by default + } + + if !isFeatureGate(gvk) && !isCustomResource(gvk) { + // Has a requirement, but is not of the expected kind + return fmt.Errorf("major version filtering is only supported for feature gates and custom resources") + } + + requirements := strings.Split(majorVersionRequirements, ",") + includedVersions := sets.New[uint64]() + excludedVersions := sets.New[uint64]() + + for _, req := range requirements { + req = strings.TrimSpace(req) + if req == "" { + continue + } + + if strings.HasPrefix(req, "-") { + excludedVersionStr := req[1:] + excludedVersion, err := strconv.ParseUint(excludedVersionStr, 10, 64) + if err != nil { + return fmt.Errorf("invalid excluded major version %q in annotation: %v", excludedVersionStr, err) + } + excludedVersions.Insert(excludedVersion) + } else { + includedVersionStr := req + includedVersion, err := strconv.ParseUint(includedVersionStr, 10, 64) + if err != nil { + return fmt.Errorf("invalid included major version %q in annotation: %v", includedVersionStr, err) + } + includedVersions.Insert(includedVersion) + } + } + + switch { + case includedVersions.Intersection(excludedVersions).Len() > 0: + return fmt.Errorf("inclusion and exclusion requirements overlap: %v", includedVersions.Intersection(excludedVersions).UnsortedList()) + case includedVersions.Has(clusterMajorVersion): + return nil // Found matching version, include this manifest + case excludedVersions.Has(clusterMajorVersion): + return fmt.Errorf("major version %d matches excluded version %d", clusterMajorVersion, clusterMajorVersion) + case len(includedVersions) > 0: + return fmt.Errorf("major version %d does not match any required versions", clusterMajorVersion) + default: + // No positive requirement and did not match any excluded versions + return nil + } +} + // Include returns an error if the manifest fails an inclusion filter and should be excluded from further // processing by cluster version operator. Pointer arguments can be set nil to avoid excluding based on that // filter. For example, setting profile non-nil and capabilities nil will return an error if the manifest's // profile does not match, but will never return an error about capability issues. -func (m *Manifest) Include(excludeIdentifier *string, requiredFeatureSet *string, profile *string, capabilities *configv1.ClusterVersionCapabilitiesStatus, overrides []configv1.ComponentOverride, enabledFeatureGates sets.Set[string]) error { - return m.IncludeAllowUnknownCapabilities(excludeIdentifier, requiredFeatureSet, profile, capabilities, overrides, enabledFeatureGates, false) +func (m *Manifest) Include(excludeIdentifier *string, requiredFeatureSet *string, profile *string, capabilities *configv1.ClusterVersionCapabilitiesStatus, overrides []configv1.ComponentOverride, enabledFeatureGates sets.Set[string], majorVersion *uint64) error { + return m.IncludeAllowUnknownCapabilities(excludeIdentifier, requiredFeatureSet, profile, capabilities, overrides, enabledFeatureGates, majorVersion, false) } // IncludeAllowUnknownCapabilities returns an error if the manifest fails an inclusion filter and should be excluded from @@ -247,7 +306,7 @@ func (m *Manifest) Include(excludeIdentifier *string, requiredFeatureSet *string // to capabilities filtering. When set to true a manifest will not be excluded simply because it contains an unknown // capability. This is necessary to allow updates to an OCP version containing newly defined capabilities. func (m *Manifest) IncludeAllowUnknownCapabilities(excludeIdentifier *string, requiredFeatureSet *string, profile *string, - capabilities *configv1.ClusterVersionCapabilitiesStatus, overrides []configv1.ComponentOverride, enabledFeatureGates sets.Set[string], allowUnknownCapabilities bool) error { + capabilities *configv1.ClusterVersionCapabilitiesStatus, overrides []configv1.ComponentOverride, enabledFeatureGates sets.Set[string], majorVersion *uint64, allowUnknownCapabilities bool) error { annotations := m.Obj.GetAnnotations() if annotations == nil { @@ -282,6 +341,14 @@ func (m *Manifest) IncludeAllowUnknownCapabilities(excludeIdentifier *string, re } } + // Major version filtering + if majorVersion != nil { + err := checkMajorVersion(m.GVK, *majorVersion, annotations) + if err != nil { + return err + } + } + if profile != nil { profileAnnotation := fmt.Sprintf("include.release.openshift.io/%s", *profile) if val, ok := annotations[profileAnnotation]; ok && val != "true" { @@ -481,3 +548,11 @@ func addIfNotDuplicateResource(manifest Manifest, resourceIds map[resourceId]boo } return fmt.Errorf("duplicate resource: (%s)", manifest.id) } + +func isFeatureGate(gvk schema.GroupVersionKind) bool { + return gvk.Group == "config.openshift.io" && gvk.Kind == "FeatureGate" +} + +func isCustomResource(gvk schema.GroupVersionKind) bool { + return gvk.Group == "apiextensions.k8s.io" && gvk.Kind == "CustomResourceDefinition" +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 050891ed1..d4339720e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -166,7 +166,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/flags github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd +# github.com/openshift/api v0.0.0-20260126183958-606bd613f9f7 ## explicit; go 1.24.0 github.com/openshift/api/config github.com/openshift/api/config/v1 @@ -236,7 +236,7 @@ github.com/openshift/client-go/security/clientset/versioned/fake github.com/openshift/client-go/security/clientset/versioned/scheme github.com/openshift/client-go/security/clientset/versioned/typed/security/v1 github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake -# github.com/openshift/library-go v0.0.0-20260121132910-dc3a1c884c04 +# github.com/openshift/library-go v0.0.0-20260121132910-dc3a1c884c04 => github.com/JoelSpeed/library-go v0.0.0-20260130121715-6e5ccfd0da42 ## explicit; go 1.24.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/config/clusterstatus @@ -1001,4 +1001,5 @@ sigs.k8s.io/structured-merge-diff/v6/value # sigs.k8s.io/yaml v1.6.0 ## explicit; go 1.22 sigs.k8s.io/yaml +# github.com/openshift/library-go => github.com/JoelSpeed/library-go v0.0.0-20260130121715-6e5ccfd0da42 # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12