diff --git a/go.mod b/go.mod index 03a0fe28ae..e10c4e43af 100644 --- a/go.mod +++ b/go.mod @@ -11,9 +11,9 @@ require ( github.com/onsi/ginkgo/v2 v2.21.0 github.com/onsi/gomega v1.35.1 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 - github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc - github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a - github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884 + github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd + github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 + github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 github.com/operator-framework/api v0.17.1 github.com/operator-framework/operator-lifecycle-manager v0.22.0 github.com/pkg/errors v0.9.1 @@ -21,8 +21,8 @@ require ( github.com/prometheus/client_model v0.6.1 github.com/prometheus/common v0.62.0 github.com/spf13/cobra v1.9.1 - golang.org/x/crypto v0.42.0 - golang.org/x/net v0.43.0 + golang.org/x/crypto v0.45.0 + golang.org/x/net v0.47.0 golang.org/x/time v0.9.0 gopkg.in/fsnotify.v1 v1.4.7 k8s.io/api v0.34.1 @@ -71,10 +71,10 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect golang.org/x/oauth2 v0.27.0 // indirect - golang.org/x/sys v0.36.0 // indirect - golang.org/x/term v0.35.0 // indirect - golang.org/x/text v0.29.0 // indirect - golang.org/x/tools v0.36.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/term v0.37.0 // indirect + golang.org/x/text v0.31.0 // indirect + golang.org/x/tools v0.38.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect google.golang.org/protobuf v1.36.5 // indirect diff --git a/go.sum b/go.sum index 359398b7a8..efcc9ecd45 100644 --- a/go.sum +++ b/go.sum @@ -86,12 +86,12 @@ github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 h1:hXpbYtP3iTh8oy/RKwKkcMziwchY3fIk95ciczf7cOA= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc h1:p83VYAk7mlqYZrMaKuu2bBNNLUKBUSCa6YzjPDqbOlk= -github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= -github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a h1:iJYjd+rxyjMa3Sk6Vg55secJ4yMrabr/ulnTiy+vDH0= -github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a/go.mod h1:WD7m8ADeqiAKTHWx/mBoE/1MFMtnt9MYTyBOnf0L3LI= -github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884 h1:6512TMT14gnXQ4vyshzAQGjkctU0PO9G+y0tcBjw6Vk= -github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884/go.mod h1:ErDfiIrPHH+menTP/B4LKd0nxFDdvCbTamAc6SWMIh8= +github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd h1:Hpjq/55Qb0Gy65RewTSWWlyxpSovaRF86EPjYQkdlRU= +github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4= +github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 h1:zX9Od4Jg8sVmwQLwk6Vd+BX7tcyC/462FVvDdzHEPPk= +github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462/go.mod h1:nIzWQQE49XbiKizVnVOip9CEB7HJ0hoJwNi3g3YKnKc= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 h1:AKx/w1qpS8We43bsRgf8Nll3CGlDHpr/WAXvuedTNZI= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/operator-framework/api v0.17.1 h1:J/6+Xj4IEV8C7hcirqUFwOiZAU3PbnJhWvB0/bB51c4= @@ -134,8 +134,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -153,8 +153,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= -golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= +golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= +golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -163,8 +163,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= -golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -174,22 +174,22 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU= +golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= -golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= -golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= +golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= +golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/payload/render.go b/pkg/payload/render.go index 283c4dca72..03c6257ef1 100644 --- a/pkg/payload/render.go +++ b/pkg/payload/render.go @@ -126,8 +126,11 @@ func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFea if skipFiles.Has(file.Name()) { continue } - if strings.Contains(file.Name(), "CustomNoUpgrade") || strings.Contains(file.Name(), "TechPreviewNoUpgrade") || strings.Contains(file.Name(), "DevPreviewNoUpgrade") { - // CustomNoUpgrade, TechPreviewNoUpgrade and DevPreviewNoUpgrade may add features to manifests like the ClusterVersion CRD, + if strings.Contains(file.Name(), "CustomNoUpgrade") || + strings.Contains(file.Name(), "TechPreviewNoUpgrade") || + strings.Contains(file.Name(), "DevPreviewNoUpgrade") || + strings.Contains(file.Name(), "OKD") { + // CustomNoUpgrade, TechPreviewNoUpgrade, DevPreviewNoUpgrade, and OKD may add features to manifests like the ClusterVersion CRD, // but we do not need those features during bootstrap-render time. In those clusters, the production // CVO will be along shortly to update the manifests and deliver the gated features. // fixme: now that we have requiredFeatureSet, use it to do Manifest.Include() filtering here instead of making filename assumptions diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 52a41b2fef..e300d4eabc 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -91,6 +91,7 @@ type AuthenticationSpec struct { // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity // +optional OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -243,11 +244,27 @@ type OIDCProvider struct { // +listType=atomic // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` + + // userValidationRules is an optional field that configures the set of rules + // used to validate the cluster user identity that was constructed via + // mapping token claims to user identity attributes. + // Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + // If any rule in the chain of rules evaluates to 'false', authentication will fail. + // When specified, at least one rule must be specified and no more than 64 rules may be specified. + // + // +kubebuilder:validation:MaxItems=64 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=expression + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } // +kubebuilder:validation:MinLength=1 type TokenAudience string +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL" type TokenIssuer struct { // issuerURL is a required field that configures the URL used to issue tokens // by the identity provider. @@ -291,6 +308,24 @@ type TokenIssuer struct { // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + // used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` + // as "{issuerURL}/.well-known/openid-configuration". + // + // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query + // parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + // The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="discoveryURL must be a valid URL" + // +kubebuilder:validation:XValidation:rule="url(self).getScheme() == 'https'",message="discoveryURL must be a valid https URL" + // +kubebuilder:validation:XValidation:rule="url(self).getQuery().size() == 0",message="discoveryURL must not contain query parameters" + // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments" + // +kubebuilder:validation:XValidation:rule="!self.matches('^https://.+:.+@.+/.*$')",message="discoveryURL must not contain user info" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=2048 + DiscoveryURL string `json:"discoveryURL,omitempty"` } type TokenClaimMappings struct { @@ -717,37 +752,56 @@ type PrefixedClaimMapping struct { Prefix string `json:"prefix"` } -// TokenValidationRuleType represents the different -// claim validation rule types that can be configured. +// TokenValidationRuleType defines the type of token validation rule. // +enum +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUpstreamParity,enum="RequiredClaim";"CEL" type TokenValidationRuleType string const ( + // TokenValidationRuleTypeRequiredClaim indicates that the token must contain a specific claim. + // Used as a value for TokenValidationRuleType. TokenValidationRuleTypeRequiredClaim = "RequiredClaim" + // TokenValidationRuleTypeCEL indicates that the token validation is defined via a CEL expression. + // Used as a value for TokenValidationRuleType. + TokenValidationRuleTypeCEL = "CEL" ) +// TokenClaimValidationRule represents a validation rule based on token claims. +// If type is RequiredClaim, requiredClaim must be set. +// If Type is CEL, CEL must be set and RequiredClaim must be omitted. +// +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.type) && self.type == 'CEL' ? has(self.cel) : !has(self.cel)",message="cel must be set when type is 'CEL', and forbidden otherwise" type TokenClaimValidationRule struct { // type is an optional field that configures the type of the validation rule. // - // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - // - // When set to 'RequiredClaim', the Kubernetes API server - // will be configured to validate that the incoming JWT - // contains the required claim and that its value matches - // the required value. + // Allowed values are "RequiredClaim" and "CEL". // - // Defaults to 'RequiredClaim'. + // When set to 'RequiredClaim', the Kubernetes API server will be configured + // to validate that the incoming JWT contains the required claim and that its + // value matches the required value. // - // +kubebuilder:validation:Enum={"RequiredClaim"} - // +kubebuilder:default="RequiredClaim" + // When set to 'CEL', the Kubernetes API server will be configured + // to validate the incoming JWT against the configured CEL expression. + // +required Type TokenValidationRuleType `json:"type"` - // requiredClaim is an optional field that configures the required claim - // and value that the Kubernetes API server will use to validate if an incoming - // JWT is valid for this identity provider. + // requiredClaim allows configuring a required claim name and its expected value. + // This field is required when `type` is set to RequiredClaim, and must be omitted + // when `type` is set to any other value. The Kubernetes API server uses this field + // to validate if an incoming JWT is valid for this identity provider. // // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` + + // cel holds the CEL expression and message for validation. + // Must be set when Type is "CEL", and forbidden otherwise. + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + CEL TokenClaimValidationCELRule `json:"cel,omitempty,omitzero"` } type TokenRequiredClaim struct { @@ -771,3 +825,45 @@ type TokenRequiredClaim struct { // +required RequiredValue string `json:"requiredValue"` } + +type TokenClaimValidationCELRule struct { + // expression is a CEL expression evaluated against token claims. + // expression is required, must be at least 1 character in length and must not exceed 1024 characters. + // The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + Expression string `json:"expression,omitempty"` + + // message is a required human-readable message to be logged by the Kubernetes API server + // if the CEL expression defined in 'expression' fails. + // message must be at least 1 character in length and must not exceed 256 characters. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Message string `json:"message,omitempty"` +} + +// TokenUserValidationRule provides a CEL-based rule used to validate a token subject. +// Each rule contains a CEL expression that is evaluated against the token’s claims. +type TokenUserValidationRule struct { + // expression is a required CEL expression that performs a validation + // on cluster user identity attributes like username, groups, etc. + // The expression must evaluate to a boolean value. + // When the expression evaluates to 'true', the cluster user identity is considered valid. + // When the expression evaluates to 'false', the cluster user identity is not considered valid. + // expression must be at least 1 character in length and must not exceed 1024 characters. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` + // message is a required human-readable message to be logged by the Kubernetes API server + // if the CEL expression defined in 'expression' fails. + // message must be at least 1 character in length and must not exceed 256 characters. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Message string `json:"message,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go index ca604e05c5..491390098c 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go @@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index e5aad151ea..5f36f693de 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -199,9 +199,23 @@ type ClusterVersionStatus struct { // availableUpdates. This list may be empty if no updates are // recommended, if the update service is unavailable, or if an empty // or invalid channel has been specified. + // +kubebuilder:validation:MaxItems=500 // +listType=atomic // +optional ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"` + + // conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + // When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + // If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + // The risk names in the list must be unique. + // conditionalUpdateRisks must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=500 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"` } // UpdateState is a constant representing whether an update was successfully @@ -258,7 +272,7 @@ type UpdateHistory struct { Verified bool `json:"verified"` // acceptedRisks records risks which were accepted to initiate the update. - // For example, it may menition an Upgradeable=False or missing signature + // For example, it may mention an Upgradeable=False or missing signature // that was overridden via desiredUpdate.force, or an update that was // initiated despite not being in the availableUpdates set of recommended // update targets. @@ -732,6 +746,30 @@ type Update struct { // // +optional Force bool `json:"force"` + + // acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + // A conditional update is performed only if all of its risks are acceptable. + // This list may contain entries that apply to current, previous or future updates. + // The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + // acceptRisks must not contain more than 1000 entries. + // Entries in this list must be unique. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=1000 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"` +} + +// AcceptRisk represents a risk that is considered acceptable. +type AcceptRisk struct { + // name is the name of the acceptable risk. + // It must be a non-empty string and must not exceed 256 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +required + Name string `json:"name,omitempty"` } // Release represents an OpenShift release image and associated metadata. @@ -787,12 +825,27 @@ type ConditionalUpdate struct { // +required Release Release `json:"release"` + // riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + // The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + // A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + // The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + // Entries must be unique and must not exceed 256 characters. + // riskNames must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:items:MaxLength=256 + // +kubebuilder:validation:MaxItems=500 + // +listType=set + // +optional + RiskNames []string `json:"riskNames,omitempty"` + // risks represents the range of issues associated with // updating to the target release. The cluster-version // operator will evaluate all entries, and only recommend the // update if there is at least one entry and all entries // recommend the update. // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=200 // +patchMergeKey=name // +patchStrategy=merge // +listType=map @@ -813,6 +866,20 @@ type ConditionalUpdate struct { // for not recommending a conditional update. // +k8s:deepcopy-gen=true type ConditionalUpdateRisk struct { + // conditions represents the observations of the conditional update + // risk's current status. Known types are: + // * Applies, for whether the risk applies to the current cluster. + // The condition's types in the list must be unique. + // conditions must not contain more than one entry. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'" + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` + // url contains information about this risk. // +kubebuilder:validation:Format=uri // +kubebuilder:validation:MinLength=1 diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 169e29c5c5..e111d518ab 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -53,8 +53,12 @@ var ( // your cluster may fail in an unrecoverable way. CustomNoUpgrade FeatureSet = "CustomNoUpgrade" + // OKD turns on features for OKD. Turning this feature set ON is supported for OKD clusters, but NOT for OpenShift clusters. + // Once enabled, this feature set cannot be changed back to Default, but can be changed to other feature sets and it allows upgrades. + OKD FeatureSet = "OKD" + // AllFixedFeatureSets are the featuresets that have known featuregates. Custom doesn't for instance. LatencySensitive is dead - AllFixedFeatureSets = []FeatureSet{Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade} + AllFixedFeatureSets = []FeatureSet{Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade, OKD} ) type FeatureGateSpec struct { @@ -67,10 +71,11 @@ type FeatureGateSelection struct { // Turning on or off features may cause irreversible changes in your cluster which cannot be undone. // +unionDiscriminator // +optional - // +kubebuilder:validation:Enum=CustomNoUpgrade;DevPreviewNoUpgrade;TechPreviewNoUpgrade;"" + // +kubebuilder:validation:Enum=CustomNoUpgrade;DevPreviewNoUpgrade;TechPreviewNoUpgrade;OKD;"" // +kubebuilder:validation:XValidation:rule="oldSelf == 'CustomNoUpgrade' ? self == 'CustomNoUpgrade' : true",message="CustomNoUpgrade may not be changed" // +kubebuilder:validation:XValidation:rule="oldSelf == 'TechPreviewNoUpgrade' ? self == 'TechPreviewNoUpgrade' : true",message="TechPreviewNoUpgrade may not be changed" // +kubebuilder:validation:XValidation:rule="oldSelf == 'DevPreviewNoUpgrade' ? self == 'DevPreviewNoUpgrade' : true",message="DevPreviewNoUpgrade may not be changed" + // +kubebuilder:validation:XValidation:rule="oldSelf == 'OKD' ? self != '' : true",message="OKD cannot transition to Default" FeatureSet FeatureSet `json:"featureSet,omitempty"` // customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go index 54bd21adb4..3cc46141c9 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go @@ -51,7 +51,7 @@ type ImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -60,8 +60,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. // This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. // +required @@ -82,25 +82,25 @@ type PolicyRootOfTrust struct { // Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". // When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` // publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. // publicKey is required when policyType is PublicKey, and forbidden otherwise. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. // fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // pki is required when policyType is PKI, and forbidden otherwise. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -113,8 +113,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData is a required field contains inline base64-encoded data for the PEM format public key. // keyData must be at most 8192 characters. // +required @@ -132,8 +132,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -172,8 +172,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/vendor/github.com/openshift/api/config/v1/types_scheduling.go b/vendor/github.com/openshift/api/config/v1/types_scheduling.go index 028bbd495d..a81ed9f30c 100644 --- a/vendor/github.com/openshift/api/config/v1/types_scheduling.go +++ b/vendor/github.com/openshift/api/config/v1/types_scheduling.go @@ -50,7 +50,6 @@ type SchedulerSpec struct { // profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. // Deprecated: no longer needed, since DRA is GA starting with 4.21, and // is enabled by' default in the cluster, this field will be removed in 4.24. - // +openshift:enable:FeatureGate=DynamicResourceAllocation // +openshift:enable:FeatureGate=HyperShiftOnlyDynamicResourceAllocation // +optional ProfileCustomizations ProfileCustomizations `json:"profileCustomizations"` diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index b18ef647c2..1e5189796e 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -4,178 +4,130 @@ package v1 // is used by operators to apply TLS security settings to operands. // +union type TLSSecurityProfile struct { - // type is one of Old, Intermediate, Modern or Custom. Custom provides - // the ability to specify individual TLS security profile parameters. - // Old, Intermediate and Modern are TLS security profiles based on: + // type is one of Old, Intermediate, Modern or Custom. Custom provides the + // ability to specify individual TLS security profile parameters. // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + // The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + // configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + // forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // - // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - // reduced. - // - // Note that the Modern profile is currently not supported because it is not - // yet well adopted by common software libraries. + // The profiles are intent based, so they may change over time as new ciphers are + // developed and existing ciphers are found to be insecure. Depending on + // precisely which ciphers are available to a process, the list may be reduced. // // +unionDiscriminator // +optional Type TLSProfileType `json:"type"` - // old is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + // old is a TLS profile for use when services need to be accessed by very old + // clients or libraries and should be used only as a last resort. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "old" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS10 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 - // // - DHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-ECDSA-AES128-SHA256 - // // - ECDHE-RSA-AES128-SHA256 - // // - ECDHE-ECDSA-AES128-SHA - // // - ECDHE-RSA-AES128-SHA - // // - ECDHE-ECDSA-AES256-SHA384 - // // - ECDHE-RSA-AES256-SHA384 - // // - ECDHE-ECDSA-AES256-SHA - // // - ECDHE-RSA-AES256-SHA - // // - DHE-RSA-AES128-SHA256 - // // - DHE-RSA-AES256-SHA256 - // // - AES128-GCM-SHA256 - // // - AES256-GCM-SHA384 - // // - AES128-SHA256 - // // - AES256-SHA256 - // // - AES128-SHA - // // - AES256-SHA - // // - DES-CBC3-SHA // - // minTLSVersion: VersionTLS10 - // // +optional // +nullable Old *OldTLSProfile `json:"old,omitempty"` - // intermediate is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + // intermediate is a TLS profile for use when you do not need compatibility with + // legacy clients and want to remain highly secure while being compatible with + // most clients currently in use. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "intermediate" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS12 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 // - // minTLSVersion: VersionTLS12 - // // +optional // +nullable Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"` - // modern is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - // - // and looks like this (yaml): + + // modern is a TLS security profile for use with clients that support TLS 1.3 and + // do not need backward compatibility for older clients. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS13 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 // - // minTLSVersion: VersionTLS13 - // // +optional // +nullable Modern *ModernTLSProfile `json:"modern,omitempty"` + // custom is a user-defined TLS security profile. Be extremely careful using a custom // profile as invalid configurations can be catastrophic. An example custom profile // looks like this: // + // minTLSVersion: VersionTLS11 // ciphers: - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 // - // minTLSVersion: VersionTLS11 - // // +optional // +nullable Custom *CustomTLSProfile `json:"custom,omitempty"` } -// OldTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility +// OldTLSProfile is a TLS security profile based on the "old" configuration of +// the Mozilla Server Side TLS configuration guidelines. type OldTLSProfile struct{} -// IntermediateTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 +// IntermediateTLSProfile is a TLS security profile based on the "intermediate" +// configuration of the Mozilla Server Side TLS configuration guidelines. type IntermediateTLSProfile struct{} -// ModernTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility +// ModernTLSProfile is a TLS security profile based on the "modern" configuration +// of the Mozilla Server Side TLS configuration guidelines. type ModernTLSProfile struct{} // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful @@ -189,16 +141,19 @@ type CustomTLSProfile struct { type TLSProfileType string const ( - // Old is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + // TLSProfileOldType sets parameters based on the "old" configuration of + // the Mozilla Server Side TLS configuration guidelines. TLSProfileOldType TLSProfileType = "Old" - // Intermediate is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 + + // TLSProfileIntermediateType sets parameters based on the "intermediate" + // configuration of the Mozilla Server Side TLS configuration guidelines. TLSProfileIntermediateType TLSProfileType = "Intermediate" - // Modern is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + // TLSProfileModernType sets parameters based on the "modern" configuration + // of the Mozilla Server Side TLS configuration guidelines. TLSProfileModernType TLSProfileType = "Modern" - // Custom is a TLS security profile that allows for user-defined parameters. + + // TLSProfileCustomType is a TLS security profile that allows for user-defined parameters. TLSProfileCustomType TLSProfileType = "Custom" ) @@ -219,8 +174,6 @@ type TLSProfileSpec struct { // // minTLSVersion: VersionTLS11 // - // NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - // MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"` } @@ -245,11 +198,16 @@ const ( VersionTLS13 TLSProtocolVersion = "VersionTLS13" ) -// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec. +// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. +// +// These profiles are based on version 5.0 of the Mozilla Server Side TLS +// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for +// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // -// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all -// entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail, -// just be sure to whitelist only and everything will be ok. +// NOTE: The caller needs to make sure to check that these constants are valid +// for their binary. Not all entries map to values for all binaries. In the case +// of ties, the kube-apiserver wins. Do not fail, just be sure to include only +// valid entries and everything will be ok. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index 762416197a..c89d45ddcd 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index 1388523f84..430a39025f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -584,6 +584,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -593,6 +594,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -702,7 +704,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index cae91bdb40..f24b2a16a1 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml new file mode 100644 index 0000000000..1ae333ddc6 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml @@ -0,0 +1,796 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/495 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD + name: clusterversions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterVersion + listKind: ClusterVersionList + plural: clusterversions + singular: clusterversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.history[?(@.state=="Completed")].version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].lastTransitionTime + name: Since + type: date + - jsonPath: .status.conditions[?(@.type=="Progressing")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterVersion is the configuration for the ClusterVersionOperator. This is where + parameters related to automatic updates can be set. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the cluster version - the operator will work + to ensure that the desired version is applied to the cluster. + properties: + capabilities: + description: |- + capabilities configures the installation of optional, core + cluster components. A null value here is identical to an + empty object; see the child properties for default semantics. + properties: + additionalEnabledCapabilities: + description: |- + additionalEnabledCapabilities extends the set of managed + capabilities beyond the baseline defined in + baselineCapabilitySet. The default is an empty set. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + baselineCapabilitySet: + description: |- + baselineCapabilitySet selects an initial set of + optional capabilities to enable, which can be extended via + additionalEnabledCapabilities. If unset, the cluster will + choose a default, and the default may change over time. + The current default is vCurrent. + enum: + - None + - v4.11 + - v4.12 + - v4.13 + - v4.14 + - v4.15 + - v4.16 + - v4.17 + - v4.18 + - vCurrent + type: string + type: object + channel: + description: |- + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will + contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: |- + clusterID uniquely identifies this cluster. This is expected to be + an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in + hexadecimal values). This is a required field. + type: string + desiredUpdate: + description: |- + desiredUpdate is an optional field that indicates the desired value of + the cluster version. Setting this value will trigger an upgrade (if + the current version does not match the desired version). The set of + recommended update values is listed as part of available updates in + status, and setting values outside that range may cause the upgrade + to fail. + + Some of the fields are inter-related with restrictions and meanings described here. + 1. image is specified, version is specified, architecture is specified. API validation error. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. + 3. image is specified, version is not specified, architecture is specified. API validation error. + 4. image is specified, version is not specified, architecture is not specified. image is used. + 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. + 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. + 7. image is not specified, version is not specified, architecture is specified. API validation error. + 8. image is not specified, version is not specified, architecture is not specified. API validation error. + + If an upgrade fails the operator will halt and report status + about the failing component. Setting the desired update value back to + the previous version will cause a rollback to be attempted if the + previous version is within the current minor version. Not all + rollbacks will succeed, and some may unrecoverably break the + cluster. + properties: + architecture: + description: |- + architecture is an optional field that indicates the desired + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. architecture can only be set to Multi thereby + only allowing updates from single to multi architecture. If + architecture is set, image cannot be set and version must be + set. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + force: + description: |- + force allows an administrator to update to an image that has failed + verification or upgradeable checks that are designed to keep your + cluster safe. Only use this if: + * you are testing unsigned release images in short-lived test clusters or + * you are working around a known bug in the cluster-version + operator and you have verified the authenticity of the provided + image yourself. + The provided image will run with full administrative access + to the cluster. Do not use this flag with images that come from unknown + or potentially malicious sources. + type: boolean + image: + description: |- + image is a container image location that contains the update. + image should be used when the desired version does not exist in availableUpdates or history. + When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. + type: string + version: + description: |- + version is a semantic version identifying the update version. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. + type: string + type: object + x-kubernetes-validations: + - message: cannot set both Architecture and Image + rule: 'has(self.architecture) && has(self.image) ? (self.architecture + == "" || self.image == "") : true' + - message: Version must be set if Architecture is set + rule: 'has(self.architecture) && self.architecture != "" ? self.version + != "" : true' + overrides: + description: |- + overrides is list of overides for components that are managed by + cluster version operator. Marking a component unmanaged will prevent + the operator from creating or updating the object. + items: + description: |- + ComponentOverride allows overriding cluster version operator's behavior + for a component. + properties: + group: + description: group identifies the API group that the kind is + in. + type: string + kind: + description: kind indentifies which object to override. + type: string + name: + description: name is the component's name. + type: string + namespace: + description: |- + namespace is the component's namespace. If the resource is cluster + scoped, the namespace should be empty. + type: string + unmanaged: + description: |- + unmanaged controls if cluster version operator should stop managing the + resources in this cluster. + Default: false + type: boolean + required: + - group + - kind + - name + - namespace + - unmanaged + type: object + type: array + x-kubernetes-list-map-keys: + - kind + - group + - namespace + - name + x-kubernetes-list-type: map + upstream: + description: |- + upstream may be used to specify the preferred update server. By default + it will use the appropriate update server for the cluster and region. + type: string + required: + - clusterID + type: object + status: + description: |- + status contains information about the available updates and any in-progress + updates. + properties: + availableUpdates: + description: |- + availableUpdates contains updates recommended for this + cluster. Updates which appear in conditionalUpdates but not in + availableUpdates may expose this cluster to known issues. This list + may be empty if no updates are recommended, if the update service + is unavailable, or if an invalid channel has been specified. + items: + description: Release represents an OpenShift release image and associated + metadata. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + capabilities: + description: capabilities describes the state of optional, core cluster + components. + properties: + enabledCapabilities: + description: enabledCapabilities lists all the capabilities that + are currently managed. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + knownCapabilities: + description: knownCapabilities lists all the capabilities known + to the current cluster. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + type: object + conditionalUpdates: + description: |- + conditionalUpdates contains the list of updates that may be + recommended for this cluster if it meets specific required + conditions. Consumers interested in the set of updates that are + actually recommended for this cluster should use + availableUpdates. This list may be empty if no updates are + recommended, if the update service is unavailable, or if an empty + or invalid channel has been specified. + items: + description: |- + ConditionalUpdate represents an update which is recommended to some + clusters on the version the current cluster is reconciling, but which + may not be recommended for the current cluster. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update's + current status. Known types are: + * Recommended, for whether the update is recommended for the current cluster. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + risks: + description: |- + risks represents the range of issues associated with + updating to the target release. The cluster-version + operator will evaluate all entries, and only recommend the + update if there is at least one entry and all entries + recommend the update. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition + based on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - release + - risks + type: object + maxItems: 500 + type: array + x-kubernetes-list-type: atomic + conditions: + description: |- + conditions provides information about the cluster version. The condition + "Available" is set to true if the desiredUpdate has been reached. The + condition "Progressing" is set to true if an update is being applied. + The condition "Degraded" is set to true if an update is currently blocked + by a temporary or permanent error. Conditions are only valid for the + current desiredUpdate when metadata.generation is equal to + status.generation. + items: + description: |- + ClusterOperatorStatusCondition represents the state of the operator's + managed and monitored components. + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status property. + format: date-time + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. It may contain Line Feed + characters (U+000A), which should be rendered as new lines. + type: string + reason: + description: reason is the CamelCase reason for the condition's + current status. + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the aspect reported by this condition. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + desired: + description: |- + desired is the version that the cluster is reconciling towards. + If the cluster is not yet fully initialized desired will be set + with the information available, which may be an image or a tag. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + history: + description: |- + history contains a list of the most recent versions applied to the cluster. + This value may be empty during cluster startup, and then will be updated + when a new update is being applied. The newest update is first in the + list and it is ordered by recency. Updates in the history have state + Completed if the rollout completed - if an update was failing or halfway + applied the state will be Partial. Only a limited amount of update history + is preserved. + items: + description: UpdateHistory is a single attempted update to the cluster. + properties: + acceptedRisks: + description: |- + acceptedRisks records risks which were accepted to initiate the update. + For example, it may mention an Upgradeable=False or missing signature + that was overridden via desiredUpdate.force, or an update that was + initiated despite not being in the availableUpdates set of recommended + update targets. + type: string + completionTime: + description: |- + completionTime, if set, is when the update was fully applied. The update + that is currently being applied will have a null completion time. + Completion time will always be set for entries that are not the current + update (usually to the started time of the next update). + format: date-time + nullable: true + type: string + image: + description: |- + image is a container image location that contains the update. This value + is always populated. + type: string + startedTime: + description: startedTime is the time at which the update was + started. + format: date-time + type: string + state: + description: |- + state reflects whether the update was fully applied. The Partial state + indicates the update is not fully applied, while the Completed state + indicates the update was successfully rolled out at least once (all + parts of the update successfully applied). + type: string + verified: + description: |- + verified indicates whether the provided update was properly verified + before it was installed. If this is false the cluster may not be trusted. + Verified does not cover upgradeable checks that depend on the cluster + state at the time when the update target was accepted. + type: boolean + version: + description: |- + version is a semantic version identifying the update version. If the + requested image does not define a version, or if a failure occurs + retrieving the image, this value may be empty. + type: string + required: + - completionTime + - image + - startedTime + - state + - verified + type: object + type: array + x-kubernetes-list-type: atomic + observedGeneration: + description: |- + observedGeneration reports which version of the spec is being synced. + If this value is not equal to metadata.generation, then the desired + and conditions fields may represent a previous version. + format: int64 + type: integer + versionHash: + description: |- + versionHash is a fingerprint of the content that the cluster will be + updated with. It is used by the operator to avoid unnecessary work + and is for internal use only. + type: string + required: + - availableUpdates + - desired + - observedGeneration + - versionHash + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: the `marketplace` capability requires the `OperatorLifecycleManager` + capability, which is neither explicitly or implicitly enabled in this + cluster, please enable the `OperatorLifecycleManager` capability + rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) + && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''marketplace'' + in self.spec.capabilities.additionalEnabledCapabilities ? ''OperatorLifecycleManager'' + in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) + && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) + && ''OperatorLifecycleManager'' in self.status.capabilities.enabledCapabilities) + : true' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 376651de5a..ea97687cfc 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3..86a5146069 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58d..5054895178 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f3..f4dec27397 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml new file mode 100644 index 0000000000..3809b7864c --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -0,0 +1,383 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + type: string + type: object + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0df..6206ad77a8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..7476fd4655 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -0,0 +1,982 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted + when `type` is set to any other value. The Kubernetes API server uses this field + to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured + to validate that the incoming JWT contains the required claim and that its + value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured + to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` + as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query + parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules + used to validate the cluster user identity that was constructed via + mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation + on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml new file mode 100644 index 0000000000..5d93d98cc1 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -0,0 +1,882 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted + when `type` is set to any other value. The Kubernetes API server uses this field + to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured + to validate that the incoming JWT contains the required claim and that its + value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured + to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..1a6afefa6a --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,982 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted + when `type` is set to any other value. The Kubernetes API server uses this field + to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured + to validate that the incoming JWT contains the required claim and that its + value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured + to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` + as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query + parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules + used to validate the cluster user identity that was constructed via + mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation + on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml similarity index 96% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index d6e1cf0849..5233cc52fa 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD name: authentications.config.openshift.io spec: group: config.openshift.io @@ -347,12 +348,17 @@ spec: Validation rules are joined via an AND operation. items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. properties: requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted + when `type` is set to any other value. The Kubernetes API server uses this field + to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -377,22 +383,28 @@ spec: - requiredValue type: object type: - default: RequiredClaim description: |- type is an optional field that configures the type of the validation rule. - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured + to validate that the incoming JWT contains the required claim and that its + value matches the required value. - Defaults to 'RequiredClaim'. + When set to 'CEL', the Kubernetes API server will be configured + to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string + required: + - type type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic issuer: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..60698312ae --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,982 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted + when `type` is set to any other value. The Kubernetes API server uses this field + to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured + to validate that the incoming JWT contains the required claim and that its + value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured + to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` + as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query + parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules + used to validate the cluster user identity that was constructed via + mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation + on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server + if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: |- + oidcClients is where participating operators place the current OIDC client status + for OIDC clients that can be customized by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml deleted file mode 100644 index 29dc56153e..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml +++ /dev/null @@ -1,415 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index c36e20e2da..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index d4b1ae9cb3..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml index 8794f271fa..435c425ea0 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: clusterimagepolicies.config.openshift.io spec: group: config.openshift.io @@ -220,7 +219,7 @@ spec: Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml index 55e5ddcb2c..15ef1197d3 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml @@ -79,6 +79,7 @@ spec: - CustomNoUpgrade - DevPreviewNoUpgrade - TechPreviewNoUpgrade + - OKD - "" type: string x-kubernetes-validations: @@ -91,6 +92,8 @@ spec: - message: DevPreviewNoUpgrade may not be changed rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' : true' + - message: OKD cannot transition to Default + rule: 'oldSelf == ''OKD'' ? self != '''' : true' type: object x-kubernetes-validations: - message: .spec.featureSet cannot be removed diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml deleted file mode 100644 index ee88c398e5..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml +++ /dev/null @@ -1,416 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 99d2af1333..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,511 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index a8b7aba7c2..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,511 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml index f71c649524..d649f057d0 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: imagepolicies.config.openshift.io spec: group: config.openshift.io @@ -220,7 +219,7 @@ spec: Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml new file mode 100644 index 0000000000..ed9fb2c3b4 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml @@ -0,0 +1,2338 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: infrastructures.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Infrastructure + listKind: InfrastructureList + plural: infrastructures + singular: infrastructure + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Infrastructure holds cluster-wide information about Infrastructure. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + cloudConfig: + description: |- + cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file. + This configuration file is used to configure the Kubernetes cloud provider integration + when using the built-in cloud provider integration or the external cloud controller manager. + The namespace for this config map is openshift-config. + + cloudConfig should only be consumed by the kube_cloud_config controller. + The controller is responsible for using the user configuration in the spec + for various platforms and combining that with the user provided ConfigMap in this field + to create a stitched kube cloud config. + The controller generates a ConfigMap `kube-cloud-config` in `openshift-config-managed` namespace + with the kube cloud config is stored in `cloud.conf` key. + All the clients are expected to use the generated ConfigMap only. + properties: + key: + description: key allows pointing to a specific key/value inside + of the configmap. This is useful for logical file references. + type: string + name: + type: string + type: object + platformSpec: + description: |- + platformSpec holds desired information specific to the underlying + infrastructure provider. + properties: + alibabaCloud: + description: alibabaCloud contains settings specific to the Alibaba + Cloud infrastructure provider. + type: object + aws: + description: aws contains settings specific to the Amazon Web + Services infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints list contains custom endpoints which will override default + service endpoint of AWS Services. + There must be only one ServiceEndpoint for a service. + items: + description: |- + AWSServiceEndpoint store the configuration of a custom url to + override existing defaults of AWS Services. + properties: + name: + description: |- + name is the name of the AWS service. + The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html + This must be provided and cannot be empty. + pattern: ^[a-z0-9-]+$ + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + azure: + description: azure contains settings specific to the Azure infrastructure + provider. + type: object + baremetal: + description: baremetal contains settings specific to the BareMetal + platform. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + equinixMetal: + description: equinixMetal contains settings specific to the Equinix + Metal infrastructure provider. + type: object + external: + description: |- + ExternalPlatformType represents generic infrastructure provider. + Platform-specific components should be supplemented separately. + properties: + platformName: + default: Unknown + description: |- + platformName holds the arbitrary string representing the infrastructure provider name, expected to be set at the installation time. + This field is solely for informational and reporting purposes and is not expected to be used for decision-making. + type: string + x-kubernetes-validations: + - message: platform name cannot be changed once set + rule: oldSelf == 'Unknown' || self == oldSelf + type: object + gcp: + description: gcp contains settings specific to the Google Cloud + Platform infrastructure provider. + type: object + ibmcloud: + description: ibmcloud contains settings specific to the IBMCloud + infrastructure provider. + type: object + kubevirt: + description: kubevirt contains settings specific to the kubevirt + infrastructure provider. + type: object + nutanix: + description: nutanix contains settings specific to the Nutanix + infrastructure provider. + properties: + failureDomains: + description: |- + failureDomains configures failure domains information for the Nutanix platform. + When set, the failure domains defined here may be used to spread Machines across + prism element clusters to improve fault tolerance of the cluster. + items: + description: NutanixFailureDomain configures failure domain + information for the Nutanix platform. + properties: + cluster: + description: |- + cluster is to identify the cluster (the Prism Element under management of the Prism Central), + in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained + from the Prism Central console or using the prism_central API. + properties: + name: + description: name is the resource name in the PC. + It cannot be empty if the type is Name. + type: string + type: + description: type is the identifier type to use + for this resource. + enum: + - UUID + - Name + type: string + uuid: + description: uuid is the UUID of the resource in + the PC. It cannot be empty if the type is UUID. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: uuid configuration is required when type + is UUID, and forbidden otherwise + rule: 'has(self.type) && self.type == ''UUID'' ? has(self.uuid) + : !has(self.uuid)' + - message: name configuration is required when type + is Name, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Name'' ? has(self.name) + : !has(self.name)' + name: + description: |- + name defines the unique name of a failure domain. + Name is required and must be at most 64 characters in length. + It must consist of only lower case alphanumeric characters and hyphens (-). + It must start and end with an alphanumeric character. + This value is arbitrary and is used to identify the failure domain within the platform. + maxLength: 64 + minLength: 1 + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + subnets: + description: |- + subnets holds a list of identifiers (one or more) of the cluster's network subnets + If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured. + for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be + obtained from the Prism Central console or using the prism_central API. + items: + description: NutanixResourceIdentifier holds the identity + of a Nutanix PC resource (cluster, image, subnet, + etc.) + properties: + name: + description: name is the resource name in the + PC. It cannot be empty if the type is Name. + type: string + type: + description: type is the identifier type to use + for this resource. + enum: + - UUID + - Name + type: string + uuid: + description: uuid is the UUID of the resource + in the PC. It cannot be empty if the type is + UUID. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: uuid configuration is required when type + is UUID, and forbidden otherwise + rule: 'has(self.type) && self.type == ''UUID'' ? has(self.uuid) + : !has(self.uuid)' + - message: name configuration is required when type + is Name, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Name'' ? has(self.name) + : !has(self.name)' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - cluster + - name + - subnets + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + prismCentral: + description: |- + prismCentral holds the endpoint address and port to access the Nutanix Prism Central. + When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. + Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the + proxy spec.noProxy list. + properties: + address: + description: address is the endpoint address (DNS name + or IP address) of the Nutanix Prism Central or Element + (cluster) + maxLength: 256 + type: string + port: + description: port is the port number to access the Nutanix + Prism Central or Element (cluster) + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + prismElements: + description: |- + prismElements holds one or more endpoint address and port data to access the Nutanix + Prism Elements (clusters) of the Nutanix Prism Central. Currently we only support one + Prism Element (cluster) for an OpenShift cluster, where all the Nutanix resources (VMs, subnets, volumes, etc.) + used in the OpenShift cluster are located. In the future, we may support Nutanix resources (VMs, etc.) + spread over multiple Prism Elements (clusters) of the Prism Central. + items: + description: NutanixPrismElementEndpoint holds the name + and endpoint data for a Prism Element (cluster) + properties: + endpoint: + description: |- + endpoint holds the endpoint address and port data of the Prism Element (cluster). + When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. + Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the + proxy spec.noProxy list. + properties: + address: + description: address is the endpoint address (DNS + name or IP address) of the Nutanix Prism Central + or Element (cluster) + maxLength: 256 + type: string + port: + description: port is the port number to access the + Nutanix Prism Central or Element (cluster) + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + name: + description: |- + name is the name of the Prism Element (cluster). This value will correspond with + the cluster field configured on other resources (eg Machines, PVCs, etc). + maxLength: 256 + type: string + required: + - endpoint + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - prismCentral + - prismElements + type: object + openstack: + description: openstack contains settings specific to the OpenStack + infrastructure provider. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + ovirt: + description: ovirt contains settings specific to the oVirt infrastructure + provider. + type: object + powervs: + description: powervs contains settings specific to the IBM Power + Systems Virtual Servers infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of a Power VS service. + items: + description: |- + PowervsServiceEndpoint stores the configuration of a custom url to + override existing defaults of PowerVS Services. + properties: + name: + description: |- + name is the name of the Power VS service. + Few of the services are + IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api + ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller + Power Cloud - https://cloud.ibm.com/apidocs/power-cloud + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - Power + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + format: uri + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. This + value controls whether infrastructure automation such as service load + balancers, dynamic volume provisioning, machine creation and deletion, and + other integrations are enabled. If None, no infrastructure automation is + enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", + "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, + and must handle unrecognized platforms as None if they do not support that platform. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + vsphere: + description: vsphere contains settings specific to the VSphere + infrastructure provider. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + failureDomains: + description: |- + failureDomains contains the definition of region, zone and the vCenter topology. + If this is omitted failure domains (regions and zones) will not be used. + items: + description: VSpherePlatformFailureDomainSpec holds the + region and zone failure domain and the vCenter topology + of that failure domain. + properties: + name: + description: |- + name defines the arbitrary but unique name + of a failure domain. + maxLength: 256 + minLength: 1 + type: string + region: + description: |- + region defines the name of a region tag that will + be attached to a vCenter datacenter. The tag + category in vCenter must be named openshift-region. + maxLength: 80 + minLength: 1 + type: string + regionAffinity: + description: |- + regionAffinity holds the type of region, Datacenter or ComputeCluster. + When set to Datacenter, this means the region is a vCenter Datacenter as defined in topology. + When set to ComputeCluster, this means the region is a vCenter Cluster as defined in topology. + properties: + type: + description: |- + type determines the vSphere object type for a region within this failure domain. + Available types are Datacenter and ComputeCluster. + When set to Datacenter, this means the vCenter Datacenter defined is the region. + When set to ComputeCluster, this means the vCenter cluster defined is the region. + enum: + - ComputeCluster + - Datacenter + type: string + required: + - type + type: object + server: + anyOf: + - format: ipv4 + - format: ipv6 + - format: hostname + description: server is the fully-qualified domain name + or the IP address of the vCenter server. + maxLength: 255 + minLength: 1 + type: string + topology: + description: topology describes a given failure domain + using vSphere constructs + properties: + computeCluster: + description: |- + computeCluster the absolute path of the vCenter cluster + in which virtual machine will be located. + The absolute path is of the form //host/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/host/.*? + type: string + datacenter: + description: |- + datacenter is the name of vCenter datacenter in which virtual machines will be located. + The maximum length of the datacenter name is 80 characters. + maxLength: 80 + type: string + datastore: + description: |- + datastore is the absolute path of the datastore in which the + virtual machine is located. + The absolute path is of the form //datastore/ + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/datastore/.*? + type: string + folder: + description: |- + folder is the absolute path of the folder where + virtual machines are located. The absolute path + is of the form //vm/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/vm/.*? + type: string + networks: + description: |- + networks is the list of port group network names within this failure domain. + If feature gate VSphereMultiNetworks is enabled, up to 10 network adapters may be defined. + 10 is the maximum number of virtual network devices which may be attached to a VM as defined by: + https://configmax.esp.vmware.com/guest?vmwareproduct=vSphere&release=vSphere%208.0&categories=1-0 + The available networks (port groups) can be listed using + `govc ls 'network/*'` + Networks should be in the form of an absolute path: + //network/. + items: + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + resourcePool: + description: |- + resourcePool is the absolute path of the resource pool where virtual machines will be + created. The absolute path is of the form //host//Resources/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/host/.*?/Resources.* + type: string + template: + description: |- + template is the full inventory path of the virtual machine or template + that will be cloned when creating new machines in this failure domain. + The maximum length of the path is 2048 characters. + + When omitted, the template will be calculated by the control plane + machineset operator based on the region and zone defined in + VSpherePlatformFailureDomainSpec. + For example, for zone=zonea, region=region1, and infrastructure name=test, + the template path would be calculated as //vm/test-rhcos-region1-zonea. + maxLength: 2048 + minLength: 1 + pattern: ^/.*?/vm/.*? + type: string + required: + - computeCluster + - datacenter + - datastore + - networks + type: object + zone: + description: |- + zone defines the name of a zone tag that will + be attached to a vCenter cluster. The tag + category in vCenter must be named openshift-zone. + maxLength: 80 + minLength: 1 + type: string + zoneAffinity: + description: |- + zoneAffinity holds the type of the zone and the hostGroup which + vmGroup and the hostGroup names in vCenter corresponds to + a vm-host group of type Virtual Machine and Host respectively. Is also + contains the vmHostRule which is an affinity vm-host rule in vCenter. + properties: + hostGroup: + description: |- + hostGroup holds the vmGroup and the hostGroup names in vCenter + corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also + contains the vmHostRule which is an affinity vm-host rule in vCenter. + properties: + hostGroup: + description: |- + hostGroup is the name of the vm-host group of type host within vCenter for this failure domain. + hostGroup is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + vmGroup: + description: |- + vmGroup is the name of the vm-host group of type virtual machine within vCenter for this failure domain. + vmGroup is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + vmHostRule: + description: |- + vmHostRule is the name of the affinity vm-host rule within vCenter for this failure domain. + vmHostRule is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + required: + - hostGroup + - vmGroup + - vmHostRule + type: object + type: + description: |- + type determines the vSphere object type for a zone within this failure domain. + Available types are ComputeCluster and HostGroup. + When set to ComputeCluster, this means the vCenter cluster defined is the zone. + When set to HostGroup, hostGroup must be configured with hostGroup, vmGroup and vmHostRule and + this means the zone is defined by the grouping of those fields. + enum: + - HostGroup + - ComputeCluster + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: hostGroup is required when type is HostGroup, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''HostGroup'' + ? has(self.hostGroup) : !has(self.hostGroup)' + required: + - name + - region + - server + - topology + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeNetworking: + description: |- + nodeNetworking contains the definition of internal and external network constraints for + assigning the node's networking. + If this field is omitted, networking defaults to the legacy + address selection behavior which is to only support a single address and + return the first one found. + properties: + external: + description: external represents the network configuration + of the node that is externally routable. + properties: + excludeNetworkSubnetCidr: + description: |- + excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting + the IP address from the VirtualMachine's VM for use in the status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: atomic + network: + description: |- + network VirtualMachine's VM Network names that will be used to when searching + for status.addresses fields. Note that if internal.networkSubnetCIDR and + external.networkSubnetCIDR are not set, then the vNIC associated to this network must + only have a single IP address assigned to it. + The available networks (port groups) can be listed using + `govc ls 'network/*'` + type: string + networkSubnetCidr: + description: |- + networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs + that will be used in respective status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: set + type: object + internal: + description: internal represents the network configuration + of the node that is routable only within the cluster. + properties: + excludeNetworkSubnetCidr: + description: |- + excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting + the IP address from the VirtualMachine's VM for use in the status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: atomic + network: + description: |- + network VirtualMachine's VM Network names that will be used to when searching + for status.addresses fields. Note that if internal.networkSubnetCIDR and + external.networkSubnetCIDR are not set, then the vNIC associated to this network must + only have a single IP address assigned to it. + The available networks (port groups) can be listed using + `govc ls 'network/*'` + type: string + networkSubnetCidr: + description: |- + networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs + that will be used in respective status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + vcenters: + description: |- + vcenters holds the connection details for services to communicate with vCenter. + Currently, only a single vCenter is supported, but in tech preview 3 vCenters are supported. + Once the cluster has been installed, you are unable to change the current number of defined + vCenters except in the case where the cluster has been upgraded from a version of OpenShift + where the vsphere platform spec was not present. You may make modifications to the existing + vCenters that are defined in the vcenters list in order to match with any added or modified + failure domains. + items: + description: |- + VSpherePlatformVCenterSpec stores the vCenter connection fields. + This is used by the vSphere CCM. + properties: + datacenters: + description: |- + The vCenter Datacenters in which the RHCOS + vm guests are located. This field will + be used by the Cloud Controller Manager. + Each datacenter listed here should be used within + a topology. + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + port: + description: |- + port is the TCP port that will be used to communicate to + the vCenter endpoint. + When omitted, this means the user has no opinion and + it is up to the platform to choose a sensible default, + which is subject to change over time. + format: int32 + maximum: 32767 + minimum: 1 + type: integer + server: + anyOf: + - format: ipv4 + - format: ipv6 + - format: hostname + description: server is the fully-qualified domain name + or the IP address of the vCenter server. + maxLength: 255 + type: string + required: + - datacenters + - server + type: object + maxItems: 3 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: vcenters cannot be added or removed once set + rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0 + && size(self) < 2 : true' + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + - message: vcenters can have at most 1 item when configured post-install + rule: '!has(oldSelf.vcenters) && has(self.vcenters) ? size(self.vcenters) + < 2 : true' + type: object + x-kubernetes-validations: + - message: vcenters can have at most 1 item when configured post-install + rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? size(self.vsphere.vcenters) + < 2 : true' + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + apiServerInternalURI: + description: |- + apiServerInternalURL is a valid URI with scheme 'https', + address and optionally a port (defaulting to 443). apiServerInternalURL can be used by components + like kubelets, to contact the Kubernetes API server using the + infrastructure provider rather than Kubernetes networking. + type: string + apiServerURL: + description: |- + apiServerURL is a valid URI with scheme 'https', address and + optionally a port (defaulting to 443). apiServerURL can be used by components like the web console + to tell users where to find the Kubernetes API. + type: string + controlPlaneTopology: + default: HighlyAvailable + description: |- + controlPlaneTopology expresses the expectations for operands that normally run on control nodes. + The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster. + The 'SingleReplica' mode will be used in single-node deployments + and the operators should not configure the operand for highly-available operation + The 'External' mode indicates that the control plane is hosted externally to the cluster and that + its components are not visible within the cluster. + enum: + - HighlyAvailable + - HighlyAvailableArbiter + - SingleReplica + - External + type: string + cpuPartitioning: + default: None + description: |- + cpuPartitioning expresses if CPU partitioning is a currently enabled feature in the cluster. + CPU Partitioning means that this cluster can support partitioning workloads to specific CPU Sets. + Valid values are "None" and "AllNodes". When omitted, the default value is "None". + The default value of "None" indicates that no nodes will be setup with CPU partitioning. + The "AllNodes" value indicates that all nodes have been setup with CPU partitioning, + and can then be further configured via the PerformanceProfile API. + enum: + - None + - AllNodes + type: string + etcdDiscoveryDomain: + description: |- + etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering + etcd servers and clients. + For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery + deprecated: as of 4.7, this field is no longer set or honored. It will be removed in a future release. + type: string + infrastructureName: + description: |- + infrastructureName uniquely identifies a cluster with a human friendly name. + Once set it should not be changed. Must be of max length 27 and must have only + alphanumeric or hyphen characters. + type: string + infrastructureTopology: + default: HighlyAvailable + description: |- + infrastructureTopology expresses the expectations for infrastructure services that do not run on control + plane nodes, usually indicated by a node selector for a `role` value + other than `master`. + The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster. + The 'SingleReplica' mode will be used in single-node deployments + and the operators should not configure the operand for highly-available operation + NOTE: External topology mode is not applicable for this field. + enum: + - HighlyAvailable + - SingleReplica + type: string + platform: + description: |- + platform is the underlying infrastructure provider for the cluster. + + Deprecated: Use platformStatus.type instead. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + platformStatus: + description: |- + platformStatus holds status information specific to the underlying + infrastructure provider. + properties: + alibabaCloud: + description: alibabaCloud contains settings specific to the Alibaba + Cloud infrastructure provider. + properties: + region: + description: region specifies the region for Alibaba Cloud + resources created for the cluster. + pattern: ^[0-9A-Za-z-]+$ + type: string + resourceGroupID: + description: resourceGroupID is the ID of the resource group + for the cluster. + pattern: ^(rg-[0-9A-Za-z]+)?$ + type: string + resourceTags: + description: resourceTags is a list of additional tags to + apply to Alibaba Cloud resources created for the cluster. + items: + description: AlibabaCloudResourceTag is the set of tags + to add to apply to resources. + properties: + key: + description: key is the key of the tag. + maxLength: 128 + minLength: 1 + type: string + value: + description: value is the value of the tag. + maxLength: 128 + minLength: 1 + type: string + required: + - key + - value + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + required: + - region + type: object + aws: + description: aws contains settings specific to the Amazon Web + Services infrastructure provider. + properties: + region: + description: region holds the default AWS region for new AWS + resources created by the cluster. + type: string + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to AWS resources created for the cluster. + See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. + AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags + available for the user. + items: + description: AWSResourceTag is a tag to apply to AWS resources + created for the cluster. + properties: + key: + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') + value: + description: |- + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. + Some AWS service do not support empty values. Since tags are added to resources in many services, the + length of the tag value must meet the requirements of all services. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') + required: + - key + - value + type: object + maxItems: 25 + type: array + x-kubernetes-list-type: atomic + serviceEndpoints: + description: |- + serviceEndpoints list contains custom endpoints which will override default + service endpoint of AWS Services. + There must be only one ServiceEndpoint for a service. + items: + description: |- + AWSServiceEndpoint store the configuration of a custom url to + override existing defaults of AWS Services. + properties: + name: + description: |- + name is the name of the AWS service. + The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html + This must be provided and cannot be empty. + pattern: ^[a-z0-9-]+$ + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + azure: + description: azure contains settings specific to the Azure infrastructure + provider. + properties: + armEndpoint: + description: armEndpoint specifies a URL to use for resource + management in non-soverign clouds such as Azure Stack. + type: string + cloudName: + description: |- + cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK + with the appropriate Azure API endpoints. + If empty, the value is equal to `AzurePublicCloud`. + enum: + - "" + - AzurePublicCloud + - AzureUSGovernmentCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureStackCloud + type: string + networkResourceGroupName: + description: |- + networkResourceGroupName is the Resource Group for network resources like the Virtual Network and Subnets used by the cluster. + If empty, the value is same as ResourceGroupName. + type: string + resourceGroupName: + description: resourceGroupName is the Resource Group for new + Azure resources created for the cluster. + type: string + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to Azure resources created for the cluster. + See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources. + Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags + may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration. + items: + description: AzureResourceTag is a tag to apply to Azure + resources created for the cluster. + properties: + key: + description: |- + key is the key part of the tag. A tag key can have a maximum of 128 characters and cannot be empty. Key + must begin with a letter, end with a letter, number or underscore, and must contain only alphanumeric + characters and the following special characters `_ . -`. + maxLength: 128 + minLength: 1 + pattern: ^[a-zA-Z]([0-9A-Za-z_.-]*[0-9A-Za-z_])?$ + type: string + value: + description: |- + value is the value part of the tag. A tag value can have a maximum of 256 characters and cannot be empty. Value + must contain only alphanumeric characters and the following special characters `_ + , - . / : ; < = > ? @`. + maxLength: 256 + minLength: 1 + pattern: ^[0-9A-Za-z_.=+-@]+$ + type: string + required: + - key + - value + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: resourceTags are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + type: object + x-kubernetes-validations: + - message: resourceTags may only be configured during installation + rule: '!has(oldSelf.resourceTags) && !has(self.resourceTags) + || has(oldSelf.resourceTags) && has(self.resourceTags)' + baremetal: + description: baremetal contains settings specific to the BareMetal + platform. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on BareMetal platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + BareMetal deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + equinixMetal: + description: equinixMetal contains settings specific to the Equinix + Metal infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + type: string + type: object + external: + description: external contains settings specific to the generic + External infrastructure provider. + properties: + cloudControllerManager: + description: |- + cloudControllerManager contains settings specific to the external Cloud Controller Manager (a.k.a. CCM or CPI). + When omitted, new nodes will be not tainted + and no extra initialization from the cloud controller manager is expected. + properties: + state: + description: |- + state determines whether or not an external Cloud Controller Manager is expected to + be installed within the cluster. + https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/#running-cloud-controller-manager + + Valid values are "External", "None" and omitted. + When set to "External", new nodes will be tainted as uninitialized when created, + preventing them from running workloads until they are initialized by the cloud controller manager. + When omitted or set to "None", new nodes will be not tainted + and no extra initialization from the cloud controller manager is expected. + enum: + - "" + - External + - None + type: string + x-kubernetes-validations: + - message: state is immutable once set + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: state may not be added or removed once set + rule: (has(self.state) == has(oldSelf.state)) || (!has(oldSelf.state) + && self.state != "External") + type: object + x-kubernetes-validations: + - message: cloudControllerManager may not be added or removed + once set + rule: has(self.cloudControllerManager) == has(oldSelf.cloudControllerManager) + gcp: + description: gcp contains settings specific to the Google Cloud + Platform infrastructure provider. + properties: + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + nullable: true + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType is + ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' + projectID: + description: resourceGroupName is the Project ID for new GCP + resources created for the cluster. + type: string + region: + description: region holds the region for new GCP resources + created for the cluster. + type: string + resourceLabels: + description: |- + resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. + See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. + GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, + allowing 32 labels for user configuration. + items: + description: GCPResourceLabel is a label to apply to GCP + resources created for the cluster. + properties: + key: + description: |- + key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty. + Label key must begin with a lowercase letter, and must contain only lowercase letters, numeric characters, + and the following special characters `_-`. Label key must not have the reserved prefixes `kubernetes-io` + and `openshift-io`. + maxLength: 63 + minLength: 1 + pattern: ^[a-z][0-9a-z_-]{0,62}$ + type: string + x-kubernetes-validations: + - message: label keys must not start with either `openshift-io` + or `kubernetes-io` + rule: '!self.startsWith(''openshift-io'') && !self.startsWith(''kubernetes-io'')' + value: + description: |- + value is the value part of the label. A label value can have a maximum of 63 characters and cannot be empty. + Value must contain only lowercase letters, numeric characters, and the following special characters `_-`. + maxLength: 63 + minLength: 1 + pattern: ^[0-9a-z_-]{1,63}$ + type: string + required: + - key + - value + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: resourceLabels are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to GCP resources created for the cluster. + See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on + tagging GCP resources. GCP supports a maximum of 50 tags per resource. + items: + description: GCPResourceTag is a tag to apply to GCP resources + created for the cluster. + properties: + key: + description: |- + key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. + Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase + alphanumeric characters, and the following special characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + parentID is the ID of the hierarchical resource where the tags are defined, + e.g. at the Organization or the Project level. To find the Organization or Project ID refer to the following pages: + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id, + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects. + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, + and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. + Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase + alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + maxItems: 50 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: resourceTags are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + type: object + x-kubernetes-validations: + - message: resourceLabels may only be configured during installation + rule: '!has(oldSelf.resourceLabels) && !has(self.resourceLabels) + || has(oldSelf.resourceLabels) && has(self.resourceLabels)' + - message: resourceTags may only be configured during installation + rule: '!has(oldSelf.resourceTags) && !has(self.resourceTags) + || has(oldSelf.resourceTags) && has(self.resourceTags)' + ibmcloud: + description: ibmcloud contains settings specific to the IBMCloud + infrastructure provider. + properties: + cisInstanceCRN: + description: |- + cisInstanceCRN is the CRN of the Cloud Internet Services instance managing + the DNS zone for the cluster's base domain + type: string + dnsInstanceCRN: + description: |- + dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone + for the cluster's base domain + type: string + location: + description: location is where the cluster has been deployed + type: string + providerType: + description: providerType indicates the type of cluster that + was created + type: string + resourceGroupName: + description: resourceGroupName is the Resource Group for new + IBMCloud resources created for the cluster. + type: string + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. + items: + description: |- + IBMCloudServiceEndpoint stores the configuration of a custom url to + override existing defaults of IBM Cloud Services. + properties: + name: + description: |- + name is the name of the IBM Cloud service. + Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + For example, the IBM Cloud Private IAM service could be configured with the + service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` + Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured + with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com` + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 + type: string + x-kubernetes-validations: + - message: url must be a valid absolute URL + rule: isURL(self) + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + kubevirt: + description: kubevirt contains settings specific to the kubevirt + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + type: string + type: object + nutanix: + description: nutanix contains settings specific to the Nutanix + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on Nutanix platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + type: object + openstack: + description: openstack contains settings specific to the OpenStack + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + cloudName: + description: |- + cloudName is the name of the desired OpenStack cloud in the + client configuration file (`clouds.yaml`). + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on OpenStack platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + OpenStack deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + ovirt: + description: ovirt contains settings specific to the oVirt infrastructure + provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on Ovirt platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + nodeDNSIP: + description: 'deprecated: as of 4.6, this field is no longer + set or honored. It will be removed in a future release.' + type: string + type: object + powervs: + description: powervs contains settings specific to the Power Systems + Virtual Servers infrastructure provider. + properties: + cisInstanceCRN: + description: |- + cisInstanceCRN is the CRN of the Cloud Internet Services instance managing + the DNS zone for the cluster's base domain + type: string + dnsInstanceCRN: + description: |- + dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone + for the cluster's base domain + type: string + region: + description: region holds the default Power VS region for + new Power VS resources created by the cluster. + type: string + resourceGroup: + description: |- + resourceGroup is the resource group name for new IBMCloud resources created for a cluster. + The resource group specified here will be used by cluster-image-registry-operator to set up a COS Instance in IBMCloud for the cluster registry. + More about resource groups can be found here: https://cloud.ibm.com/docs/account?topic=account-rgs. + When omitted, the image registry operator won't be able to configure storage, + which results in the image registry cluster operator not being in an available state. + maxLength: 40 + pattern: ^[a-zA-Z0-9-_ ]+$ + type: string + x-kubernetes-validations: + - message: resourceGroup is immutable once set + rule: oldSelf == '' || self == oldSelf + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of a Power VS service. + items: + description: |- + PowervsServiceEndpoint stores the configuration of a custom url to + override existing defaults of PowerVS Services. + properties: + name: + description: |- + name is the name of the Power VS service. + Few of the services are + IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api + ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller + Power Cloud - https://cloud.ibm.com/apidocs/power-cloud + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - Power + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + format: uri + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + zone: + description: |- + zone holds the default zone for the new Power VS resources created by the cluster. + Note: Currently only single-zone OCP clusters are supported + type: string + type: object + x-kubernetes-validations: + - message: cannot unset resourceGroup once set + rule: '!has(oldSelf.resourceGroup) || has(self.resourceGroup)' + type: + description: |- + type is the underlying infrastructure provider for the cluster. This + value controls whether infrastructure automation such as service load + balancers, dynamic volume provisioning, machine creation and deletion, and + other integrations are enabled. If None, no infrastructure automation is + enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "EquinixMetal", "PowerVS", "AlibabaCloud", "Nutanix" and "None". + Individual components may not support all platforms, and must handle + unrecognized platforms as None if they do not support that platform. + + This value will be synced with to the `status.platform` and `status.platformStatus.type`. + Currently this value cannot be changed once set. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + vsphere: + description: vsphere contains settings specific to the VSphere + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on VSphere platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + vSphere deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml new file mode 100644 index 0000000000..84f5bf2660 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml @@ -0,0 +1,136 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1107 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: nodes.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Node + listKind: NodeList + plural: nodes + singular: node + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Node holds cluster-wide information about node specific features. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + cgroupMode: + description: cgroupMode determines the cgroups version on the node + enum: + - v2 + - "" + type: string + workerLatencyProfile: + description: |- + workerLatencyProfile determins the how fast the kubelet is updating + the status and corresponding reaction of the cluster + enum: + - Default + - MediumUpdateAverageReaction + - LowUpdateSlowReaction + type: string + type: object + status: + description: status holds observed values. + properties: + conditions: + description: conditions contain the details and the current state + of the nodes.config object + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index e57a58f012..ab3788f700 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -108,28 +108,6 @@ spec: - HighNodeUtilization - NoScoring type: string - profileCustomizations: - description: |- - profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. - Deprecated: no longer needed, since DRA is GA starting with 4.21, and - is enabled by' default in the cluster, this field will be removed in 4.24. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml new file mode 100644 index 0000000000..c45c0f5201 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml @@ -0,0 +1,122 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: schedulers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Scheduler + listKind: SchedulerList + plural: schedulers + singular: scheduler + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Scheduler holds cluster-wide config information to run the Kubernetes Scheduler + and influence its placement decisions. The canonical name for this config is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + defaultNodeSelector: + description: |- + defaultNodeSelector helps set the cluster-wide default node selector to + restrict pod placement to specific nodes. This is applied to the pods + created in all namespaces and creates an intersection with any existing + nodeSelectors already set on a pod, additionally constraining that pod's selector. + For example, + defaultNodeSelector: "type=user-node,region=east" would set nodeSelector + field in pod spec to "type=user-node,region=east" to all pods created + in all namespaces. Namespaces having project-wide node selectors won't be + impacted even if this field is set. This adds an annotation section to + the namespace. + For example, if a new namespace is created with + node-selector='type=user-node,region=east', + the annotation openshift.io/node-selector: type=user-node,region=east + gets added to the project. When the openshift.io/node-selector annotation + is set on the project the value is used in preference to the value we are setting + for defaultNodeSelector field. + For instance, + openshift.io/node-selector: "type=user-node,region=west" means + that the default of "type=user-node,region=east" set in defaultNodeSelector + would not be applied. + type: string + mastersSchedulable: + description: |- + mastersSchedulable allows masters nodes to be schedulable. When this flag is + turned on, all the master nodes in the cluster will be made schedulable, + so that workload pods can run on them. The default value for this field is false, + meaning none of the master nodes are schedulable. + Important Note: Once the workload pods start running on the master nodes, + extreme care must be taken to ensure that cluster-critical control plane components + are not impacted. + Please turn on this field after doing due diligence. + type: boolean + policy: + description: |- + DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. + policy is a reference to a ConfigMap containing scheduler policy which has + user specified predicates and priorities. If this ConfigMap is not available + scheduler will default to use DefaultAlgorithmProvider. + The namespace for this configmap is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + profile: + description: |- + profile sets which scheduling profile should be set in order to configure scheduling + decisions for new pods. + + Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" + Defaults to "LowNodeUtilization" + enum: + - "" + - LowNodeUtilization + - HighNodeUtilization + - NoScoring + type: string + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 534bf58f10..cf032fa1ae 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -108,28 +108,6 @@ spec: - HighNodeUtilization - NoScoring type: string - profileCustomizations: - description: |- - profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. - Deprecated: no longer needed, since DRA is GA starting with 4.21, and - is enabled by' default in the cluster, this field will be removed in 4.24. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 95084cfcb6..30b85b78e9 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk. +func (in *AcceptRisk) DeepCopy() *AcceptRisk { + if in == nil { + return nil + } + out := new(AcceptRisk) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) { *out = *in @@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) { if in.DesiredUpdate != nil { in, out := &in.DesiredUpdate, &out.DesiredUpdate *out = new(Update) - **out = **in + (*in).DeepCopyInto(*out) } if in.Capabilities != nil { in, out := &in.Capabilities, &out.Capabilities @@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ConditionalUpdateRisks != nil { + in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks + *out = make([]ConditionalUpdateRisk, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus { func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) { *out = *in in.Release.DeepCopyInto(&out.Release) + if in.RiskNames != nil { + in, out := &in.RiskNames, &out.RiskNames + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.Risks != nil { in, out := &in.Risks, &out.Risks *out = make([]ConditionalUpdateRisk, len(*in)) @@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.MatchingRules != nil { in, out := &in.MatchingRules, &out.MatchingRules *out = make([]ClusterCondition, len(*in)) @@ -2361,33 +2396,6 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -3144,6 +3152,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -3177,6 +3212,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -3222,6 +3310,28 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -4732,6 +4842,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.UserValidationRules != nil { + in, out := &in.UserValidationRules, &out.UserValidationRules + *out = make([]TokenUserValidationRule, len(*in)) + copy(*out, *in) + } return } @@ -5109,33 +5224,6 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -5357,28 +5445,6 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - if in.SignedIdentity != nil { - in, out := &in.SignedIdentity, &out.SignedIdentity - *out = new(PolicyIdentity) - (*in).DeepCopyInto(*out) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -5458,17 +5524,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -5784,32 +5850,6 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { - if in == nil { - return nil - } - out := new(PublicKey) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in @@ -6405,6 +6445,22 @@ func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMappi return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenClaimValidationCELRule) DeepCopyInto(out *TokenClaimValidationCELRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationCELRule. +func (in *TokenClaimValidationCELRule) DeepCopy() *TokenClaimValidationCELRule { + if in == nil { + return nil + } + out := new(TokenClaimValidationCELRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) { *out = *in @@ -6413,6 +6469,7 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) *out = new(TokenRequiredClaim) **out = **in } + out.CEL = in.CEL return } @@ -6485,9 +6542,30 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule. +func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule { + if in == nil { + return nil + } + out := new(TokenUserValidationRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Update) DeepCopyInto(out *Update) { *out = *in + if in.AcceptRisks != nil { + in, out := &in.AcceptRisks, &out.AcceptRisks + *out = make([]AcceptRisk, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index e442d8f236..5d4794e4ba 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -31,6 +31,7 @@ authentications.config.openshift.io: FeatureGates: - ExternalOIDC - ExternalOIDCWithUIDAndExtraClaimMappings + - ExternalOIDCWithUpstreamParity FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -141,6 +142,7 @@ clusterversions.config.openshift.io: Capability: "" Category: "" FeatureGates: + - ClusterUpdateAcceptRisks - ImageStreamImportMode - SignatureStores FilenameOperatorName: cluster-version-operator @@ -574,7 +576,6 @@ schedulers.config.openshift.io: Capability: "" Category: "" FeatureGates: - - DynamicResourceAllocation - HyperShiftOnlyDynamicResourceAllocation FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index fe0d2236d2..e7bc0aebb3 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -449,6 +449,7 @@ var map_OIDCProvider = map[string]string{ "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -494,9 +495,20 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { return map_TokenClaimOrExpressionMapping } +var map_TokenClaimValidationCELRule = map[string]string{ + "expression": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.", + "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", +} + +func (TokenClaimValidationCELRule) SwaggerDoc() map[string]string { + return map_TokenClaimValidationCELRule +} + var map_TokenClaimValidationRule = map[string]string{ - "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", - "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + "": "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.", + "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.", + "cel": "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -507,6 +519,7 @@ var map_TokenIssuer = map[string]string{ "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", + "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -522,6 +535,16 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { return map_TokenRequiredClaim } +var map_TokenUserValidationRule = map[string]string{ + "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.", + "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", +} + +func (TokenUserValidationRule) SwaggerDoc() map[string]string { + return map_TokenUserValidationRule +} + var map_UsernameClaimMapping = map[string]string{ "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", @@ -724,6 +747,15 @@ func (OperandVersion) SwaggerDoc() map[string]string { return map_OperandVersion } +var map_AcceptRisk = map[string]string{ + "": "AcceptRisk represents a risk that is considered acceptable.", + "name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", +} + +func (AcceptRisk) SwaggerDoc() map[string]string { + return map_AcceptRisk +} + var map_ClusterCondition = map[string]string{ "": "ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.", "type": "type represents the cluster-condition type. This defines the members and semantics of any additional properties.", @@ -790,15 +822,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string { } var map_ClusterVersionStatus = map[string]string{ - "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", - "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", - "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", - "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", - "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", - "capabilities": "capabilities describes the state of optional, core cluster components.", - "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", - "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", - "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", + "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", + "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", + "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", + "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", + "capabilities": "capabilities describes the state of optional, core cluster components.", + "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", + "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", + "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", } func (ClusterVersionStatus) SwaggerDoc() map[string]string { @@ -821,6 +854,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string { var map_ConditionalUpdate = map[string]string{ "": "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.", "release": "release is the target of the update.", + "riskNames": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", "risks": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.", } @@ -831,6 +865,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string { var map_ConditionalUpdateRisk = map[string]string{ "": "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.", + "conditions": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", "url": "url contains information about this risk.", "name": "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.", "message": "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", @@ -879,6 +914,7 @@ var map_Update = map[string]string{ "version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "force": "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n operator and you have verified the authenticity of the provided\n image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.", + "acceptRisks": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", } func (Update) SwaggerDoc() map[string]string { @@ -893,7 +929,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1214,17 +1250,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", - "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - var map_ImagePolicy = map[string]string{ "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1236,6 +1261,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1246,6 +1282,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -1264,15 +1321,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -1285,16 +1341,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -1335,7 +1381,7 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", @@ -1345,16 +1391,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -2943,7 +2979,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string { } var map_IntermediateTLSProfile = map[string]string{ - "": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (IntermediateTLSProfile) SwaggerDoc() map[string]string { @@ -2951,7 +2987,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string { } var map_ModernTLSProfile = map[string]string{ - "": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (ModernTLSProfile) SwaggerDoc() map[string]string { @@ -2959,7 +2995,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string { } var map_OldTLSProfile = map[string]string{ - "": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (OldTLSProfile) SwaggerDoc() map[string]string { @@ -2969,7 +3005,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", - "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } func (TLSProfileSpec) SwaggerDoc() map[string]string { @@ -2978,11 +3014,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", - "old": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", - "intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", - "modern": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index 107b9e29a4..e8d7603d7b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -51,7 +51,7 @@ type ClusterImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 64a89e4a63..977ca3dde3 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -50,7 +50,7 @@ type ImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -59,8 +59,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust specifies the root of trust for the policy. // +required RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` @@ -84,16 +84,16 @@ type PolicyRootOfTrust struct { PolicyType PolicyType `json:"policyType"` // publicKey defines the root of trust based on a sigstore public key. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -106,8 +106,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData contains inline base64-encoded data for the PEM format public key. // KeyData must be at most 8192 characters. // +required @@ -120,8 +120,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -151,8 +151,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 6549f6cbe4..9ead6aba26 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -429,33 +429,6 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in @@ -510,6 +483,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -543,6 +543,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -588,6 +641,24 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -727,33 +798,6 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -803,24 +847,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -900,17 +926,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -926,32 +952,6 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { - if in == nil { - return nil - } - out := new(PublicKey) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RetentionNumberConfig) DeepCopyInto(out *RetentionNumberConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 6ba6ad11f4..59a5b37085 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -226,17 +226,6 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string { return map_UserDefinedMonitoring } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - var map_ImagePolicy = map[string]string{ "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -248,6 +237,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -257,6 +257,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -275,15 +296,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", + "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -296,16 +316,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", - "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -356,16 +366,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 29622d508e..289cf106bd 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -40,7 +40,7 @@ var ( reportProblemsToJiraComponent("Management Console"). contactPerson("jhadvig"). productScope(ocpSpecific). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enhancementPR("https://github.com/openshift/enhancements/pull/1706"). mustRegister() @@ -49,7 +49,7 @@ var ( contactPerson("ibihim"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateMutatingAdmissionPolicy = newFeatureGate("MutatingAdmissionPolicy"). @@ -65,7 +65,7 @@ var ( contactPerson("miciah"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateOpenShiftPodSecurityAdmission = newFeatureGate("OpenShiftPodSecurityAdmission"). @@ -73,7 +73,7 @@ var ( contactPerson("ibihim"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/899"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBuildCSIVolumes = newFeatureGate("BuildCSIVolumes"). @@ -81,23 +81,15 @@ var ( contactPerson("adkaplan"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). - reportProblemsToJiraComponent("scheduling"). - contactPerson("jchaloup"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateAzureWorkloadIdentity = newFeatureGate("AzureWorkloadIdentity"). reportProblemsToJiraComponent("cloud-credential-operator"). contactPerson("abutcher"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). @@ -128,7 +120,7 @@ var ( contactPerson("sgrunert"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). @@ -136,7 +128,7 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform"). @@ -144,7 +136,7 @@ var ( contactPerson("jspeed"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). @@ -160,7 +152,7 @@ var ( contactPerson("vr4manta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1709"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). @@ -168,7 +160,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix"). @@ -176,7 +168,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1714"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy"). @@ -184,7 +176,7 @@ var ( contactPerson("tssurya"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation"). @@ -192,7 +184,15 @@ var ( contactPerson("tssurya"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1623"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNetworkConnect = newFeatureGate("NetworkConnect"). + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("tssurya"). + productScope(ocpSpecific). + enhancementPR("https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5246"). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities"). @@ -200,7 +200,7 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateRouteAdvertisements = newFeatureGate("RouteAdvertisements"). @@ -208,15 +208,23 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateEVPN = newFeatureGate("EVPN"). + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("jcaamano"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1862"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("pliu"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkDiagnosticsConfig = newFeatureGate("NetworkDiagnosticsConfig"). @@ -224,7 +232,7 @@ var ( contactPerson("kyrtapz"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateOVNObservability = newFeatureGate("OVNObservability"). @@ -271,7 +279,7 @@ var ( contactPerson("ijanssen"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1765"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting"). @@ -326,7 +334,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesAWS = newFeatureGate("ManagedBootImagesAWS"). @@ -334,7 +342,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). @@ -342,7 +350,7 @@ var ( contactPerson("rsaini"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1496"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesAzure = newFeatureGate("ManagedBootImagesAzure"). @@ -350,7 +358,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1761"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesCPMS = newFeatureGate("ManagedBootImagesCPMS"). @@ -390,7 +398,7 @@ var ( contactPerson("dgrisonnet"). productScope(kubernetes). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGatePinnedImages = newFeatureGate("PinnedImages"). @@ -398,7 +406,7 @@ var ( contactPerson("RishabhSaini"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUpgradeStatus = newFeatureGate("UpgradeStatus"). @@ -406,23 +414,15 @@ var ( contactPerson("pmuller"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() - FeatureGateTranslateStreamCloseWebsocketRequests = newFeatureGate("TranslateStreamCloseWebsocketRequests"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("akashem"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4006"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass"). reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("dfajmon"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). @@ -446,7 +446,7 @@ var ( contactPerson("liouk"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1596"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). @@ -454,9 +454,17 @@ var ( contactPerson("bpalmer"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1777"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() + FeatureGateExternalOIDCWithUpstreamParity = newFeatureGate("ExternalOIDCWithUpstreamParity"). + reportProblemsToJiraComponent("authentication"). + contactPerson("saldawam"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1763"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). @@ -478,7 +486,7 @@ var ( contactPerson("joe"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateNewOLMCatalogdAPIV1Metas = newFeatureGate("NewOLMCatalogdAPIV1Metas"). @@ -502,7 +510,7 @@ var ( contactPerson("nschieder"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1849"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). @@ -510,7 +518,7 @@ var ( contactPerson("pegoncal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1844"). - enableForClusterProfile(SelfManaged, configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNewOLMBoxCutterRuntime = newFeatureGate("NewOLMBoxCutterRuntime"). @@ -541,7 +549,7 @@ var ( contactPerson("rexagod"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateClusterAPIInstallIBMCloud = newFeatureGate("ClusterAPIInstallIBMCloud"). @@ -596,7 +604,7 @@ var ( contactPerson("psundara"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUserNamespacesSupport = newFeatureGate("UserNamespacesSupport"). @@ -604,7 +612,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() // Note: this feature is perma-alpha, but it is safe and desireable to enable. @@ -615,7 +623,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -623,7 +631,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -631,7 +639,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -671,7 +679,7 @@ var ( contactPerson("eggfoobar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1674"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateCVOConfiguration = newFeatureGate("ClusterVersionOperatorConfiguration"). @@ -682,6 +690,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateClusterUpdateAcceptRisks = newFeatureGate("ClusterUpdateAcceptRisks"). + reportProblemsToJiraComponent("Cluster Version Operator"). + contactPerson("hongkliu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1807"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). @@ -724,7 +740,7 @@ var ( // A dedicated feature gate now controls the Gateway Controller to distinguish // its production readiness from that of the CRDs. enhancementPR("https://github.com/openshift/enhancements/pull/1756"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). @@ -755,7 +771,7 @@ var ( contactPerson("hekumar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1804"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateMultiDiskSetup = newFeatureGate("MultiDiskSetup"). @@ -787,7 +803,7 @@ var ( contactPerson("kyrtapz"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1793"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). @@ -803,7 +819,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/openshift/enhancements/pull/1792"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateNoRegistryClusterInstall = newFeatureGate("NoRegistryClusterInstall"). @@ -819,7 +835,7 @@ var ( contactPerson("barbacbd"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall"). @@ -943,6 +959,14 @@ var ( contactPerson("csrwng"). productScope(ocpSpecific). enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). - enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() + + FeatureGateConfigurablePKI = newFeatureGate("ConfigurablePKI"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("sanchezl"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1882"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/util.go b/vendor/github.com/openshift/api/features/util.go index 59bb7bff40..8606b6befd 100644 --- a/vendor/github.com/openshift/api/features/util.go +++ b/vendor/github.com/openshift/api/features/util.go @@ -2,9 +2,10 @@ package features import ( "fmt" - configv1 "github.com/openshift/api/config/v1" "net/url" "strings" + + configv1 "github.com/openshift/api/config/v1" ) // FeatureGateDescription is a golang-only interface used to contains details for a feature gate. @@ -133,8 +134,10 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) { case len(b.enhancementPRURL) == 0: return "", fmt.Errorf("FeatureGate/%s is missing an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) - case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/"): - return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && + !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/") && + !strings.HasPrefix(b.enhancementPRURL, "https://github.com/ovn-kubernetes/ovn-kubernetes/pull/"): + return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/#### or https://github.com/ovn-kubernetes/ovn-kubernetes/pull/####", b.name) case enhancementPRErr != nil: return "", fmt.Errorf("FeatureGate/%s is enhancementPR is invalid: %w", b.name, enhancementPRErr) diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go index e030a65c86..35795b2b71 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_console.go +++ b/vendor/github.com/openshift/api/operator/v1/types_console.go @@ -107,6 +107,9 @@ const ( // gettingStartedBanner is the name of the 'Getting started resources' banner in the console UI Overview page. GettingStartedBanner ConsoleCapabilityName = "GettingStartedBanner" + + // guidedTour is the name of the 'Guided Tour' feature in console UI. + GuidedTour ConsoleCapabilityName = "GuidedTour" ) // CapabilityState defines the state of the capability in the console UI. @@ -134,8 +137,8 @@ type CapabilityVisibility struct { // Capabilities contains set of UI capabilities and their state in the console UI. type Capability struct { // name is the unique name of a capability. - // Available capabilities are LightspeedButton and GettingStartedBanner. - // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner" + // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. + // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner";"GuidedTour" // +required Name ConsoleCapabilityName `json:"name"` // visibility defines the visibility state of the capability. @@ -281,10 +284,10 @@ type ConsoleCustomization struct { // capabilities defines an array of capabilities that can be interacted with in the console UI. // Each capability defines a visual state that can be interacted with the console to render in the UI. - // Available capabilities are LightspeedButton and GettingStartedBanner. + // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. // Each of the available capabilities may appear only once in the list. // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MaxItems=3 // +listType=map // +listMapKey=name // +optional diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go index c6bcd22bc0..f5836af0f8 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go +++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go @@ -18,7 +18,8 @@ import ( // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'" // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets" type MachineConfiguration struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 06096a6c81..64aac26eb3 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -210,7 +210,7 @@ func (AddPage) SwaggerDoc() map[string]string { var map_Capability = map[string]string{ "": "Capabilities contains set of UI capabilities and their state in the console UI.", - "name": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.", + "name": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.", "visibility": "visibility defines the visibility state of the capability.", } @@ -259,7 +259,7 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string { var map_ConsoleCustomization = map[string]string{ "": "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.", "logos": "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.", - "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", + "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.", "brand": "brand is the default branding of the web console which can be overridden by providing the brand field. There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.", "documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console. Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.", "customProductName": "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.", diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go index 6c86d66d47..8cee680f27 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use // with apply. type ClusterImagePolicySpecApplyConfiguration struct { - Scopes []configv1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1 // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go similarity index 57% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go index 48b553580d..a4c831fca0 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go @@ -2,24 +2,24 @@ package v1 -// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use // with apply. -type FulcioCAWithRekorApplyConfiguration struct { +type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct { FulcioCAData []byte `json:"fulcioCAData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` } -// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with // apply. -func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { - return &FulcioCAWithRekorApplyConfiguration{} +func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { + return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} } // WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the FulcioCAData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.FulcioCAData = append(b.FulcioCAData, values[i]) } @@ -29,7 +29,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) * // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } @@ -39,7 +39,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) * // WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioSubject field is set to the value of the last call. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { b.FulcioSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go similarity index 65% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go index 65f27edf8e..9a0c257b7f 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go @@ -2,24 +2,24 @@ package v1 -// PKIApplyConfiguration represents a declarative configuration of the PKI type for use +// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use // with apply. -type PKIApplyConfiguration struct { +type ImagePolicyPKIRootOfTrustApplyConfiguration struct { CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"` CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"` } -// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with +// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with // apply. -func PKI() *PKIApplyConfiguration { - return &PKIApplyConfiguration{} +func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration { + return &ImagePolicyPKIRootOfTrustApplyConfiguration{} } // WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i]) } @@ -29,7 +29,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte // WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i]) } @@ -39,7 +39,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values // WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKICertificateSubject field is set to the value of the last call. -func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration { b.PKICertificateSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go similarity index 54% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go index c1073e882f..a144573097 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go @@ -2,23 +2,23 @@ package v1 -// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use // with apply. -type PublicKeyApplyConfiguration struct { +type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct { KeyData []byte `json:"keyData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with // apply. -func PublicKey() *PublicKeyApplyConfiguration { - return &PublicKeyApplyConfiguration{} +func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { + return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} } // WithKeyData adds the given value to the KeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the KeyData field. -func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.KeyData = append(b.KeyData, values[i]) } @@ -28,7 +28,7 @@ func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyAppl // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go index b75165c8d0..3211964690 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use // with apply. type ImagePolicySpecApplyConfiguration struct { - Scopes []configv1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1.ImageS // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go similarity index 52% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go index 3e29510bf1..6f0d5d2e7c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go @@ -2,23 +2,23 @@ package v1 -// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use +// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use // with apply. -type PolicyApplyConfiguration struct { +type ImageSigstoreVerificationPolicyApplyConfiguration struct { RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` } -// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with +// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with // apply. -func Policy() *PolicyApplyConfiguration { - return &PolicyApplyConfiguration{} +func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration { + return &ImageSigstoreVerificationPolicyApplyConfiguration{} } // WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RootOfTrust field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.RootOfTrust = value return b } @@ -26,7 +26,7 @@ func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApply // WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SignedIdentity field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.SignedIdentity = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go index f1ff91ffbd..6b3e46f473 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go @@ -9,10 +9,10 @@ import ( // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use // with apply. type PolicyRootOfTrustApplyConfiguration struct { - PolicyType *configv1.PolicyType `json:"policyType,omitempty"` - PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` - FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` - PKI *PKIApplyConfiguration `json:"pki,omitempty"` + PolicyType *configv1.PolicyType `json:"policyType,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` + PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"` } // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with @@ -32,7 +32,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1.Poli // WithPublicKey sets the PublicKey field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PublicKey field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PublicKey = value return b } @@ -40,7 +40,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.FulcioCAWithRekor = value return b } @@ -48,7 +48,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci // WithPKI sets the PKI field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKI field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PKI = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go index e4a3470c45..e1c4c630ea 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use // with apply. type ClusterImagePolicySpecApplyConfiguration struct { - Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1 // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go similarity index 57% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go index 2a907a7e97..2fcaa36215 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go @@ -2,24 +2,24 @@ package v1alpha1 -// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use // with apply. -type FulcioCAWithRekorApplyConfiguration struct { +type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct { FulcioCAData []byte `json:"fulcioCAData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` } -// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with // apply. -func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { - return &FulcioCAWithRekorApplyConfiguration{} +func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { + return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} } // WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the FulcioCAData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.FulcioCAData = append(b.FulcioCAData, values[i]) } @@ -29,7 +29,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) * // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } @@ -39,7 +39,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) * // WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioSubject field is set to the value of the last call. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { b.FulcioSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go similarity index 65% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go index 455abe02a2..a218867ea9 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go @@ -2,24 +2,24 @@ package v1alpha1 -// PKIApplyConfiguration represents a declarative configuration of the PKI type for use +// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use // with apply. -type PKIApplyConfiguration struct { +type ImagePolicyPKIRootOfTrustApplyConfiguration struct { CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"` CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"` } -// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with +// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with // apply. -func PKI() *PKIApplyConfiguration { - return &PKIApplyConfiguration{} +func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration { + return &ImagePolicyPKIRootOfTrustApplyConfiguration{} } // WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i]) } @@ -29,7 +29,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte // WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i]) } @@ -39,7 +39,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values // WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKICertificateSubject field is set to the value of the last call. -func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration { b.PKICertificateSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go similarity index 54% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go index 91665a90b7..22513de628 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go @@ -2,23 +2,23 @@ package v1alpha1 -// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use // with apply. -type PublicKeyApplyConfiguration struct { +type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct { KeyData []byte `json:"keyData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with // apply. -func PublicKey() *PublicKeyApplyConfiguration { - return &PublicKeyApplyConfiguration{} +func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { + return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} } // WithKeyData adds the given value to the KeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the KeyData field. -func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.KeyData = append(b.KeyData, values[i]) } @@ -28,7 +28,7 @@ func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyAppl // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go index ac08e9cf4e..84969b600d 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use // with apply. type ImagePolicySpecApplyConfiguration struct { - Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1alpha1. // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go similarity index 52% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go index 61e4856642..64f9760e8b 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go @@ -2,23 +2,23 @@ package v1alpha1 -// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use +// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use // with apply. -type PolicyApplyConfiguration struct { +type ImageSigstoreVerificationPolicyApplyConfiguration struct { RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` } -// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with +// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with // apply. -func Policy() *PolicyApplyConfiguration { - return &PolicyApplyConfiguration{} +func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration { + return &ImageSigstoreVerificationPolicyApplyConfiguration{} } // WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RootOfTrust field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.RootOfTrust = value return b } @@ -26,7 +26,7 @@ func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApply // WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SignedIdentity field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.SignedIdentity = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go index 5de792be63..5122c82e0b 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go @@ -9,10 +9,10 @@ import ( // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use // with apply. type PolicyRootOfTrustApplyConfiguration struct { - PolicyType *configv1alpha1.PolicyType `json:"policyType,omitempty"` - PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` - FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` - PKI *PKIApplyConfiguration `json:"pki,omitempty"` + PolicyType *configv1alpha1.PolicyType `json:"policyType,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` + PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"` } // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with @@ -32,7 +32,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1alpha // WithPublicKey sets the PublicKey field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PublicKey field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PublicKey = value return b } @@ -40,7 +40,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.FulcioCAWithRekor = value return b } @@ -48,7 +48,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci // WithPKI sets the PKI field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKI field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PKI = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 856255b2ad..f00417a5c6 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -641,7 +641,7 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1.Policy + namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -1340,19 +1340,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - version -- name: com.github.openshift.api.config.v1.FulcioCAWithRekor - map: - fields: - - name: fulcioCAData - type: - scalar: string - - name: fulcioSubject - type: - namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject - default: {} - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1.GCPPlatformSpec map: elementType: @@ -1397,14 +1384,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - key - - name: serviceEndpoints - type: - list: - elementType: - namedType: com.github.openshift.api.config.v1.GCPServiceEndpoint - elementRelationship: associative - keys: - - name - name: com.github.openshift.api.config.v1.GCPResourceLabel map: fields: @@ -1431,17 +1410,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.GCPServiceEndpoint - map: - fields: - - name: name - type: - scalar: string - default: "" - - name: url - type: - scalar: string - default: "" - name: com.github.openshift.api.config.v1.GatherConfig map: fields: @@ -1802,12 +1770,47 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.ImagePolicyStatus default: {} +- name: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust + map: + fields: + - name: fulcioCAData + type: + scalar: string + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string +- name: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust + map: + fields: + - name: caIntermediatesData + type: + scalar: string + - name: caRootsData + type: + scalar: string + - name: pkiCertificateSubject + type: + namedType: com.github.openshift.api.config.v1.PKICertificateSubject + default: {} +- name: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust + map: + fields: + - name: keyData + type: + scalar: string + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1.ImagePolicySpec map: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1.Policy + namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -1826,6 +1829,16 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - type +- name: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1.PolicyIdentity - name: com.github.openshift.api.config.v1.ImageSpec map: fields: @@ -3006,19 +3019,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: nodeDNSIP type: scalar: string -- name: com.github.openshift.api.config.v1.PKI - map: - fields: - - name: caIntermediatesData - type: - scalar: string - - name: caRootsData - type: - scalar: string - - name: pkiCertificateSubject - type: - namedType: com.github.openshift.api.config.v1.PKICertificateSubject - default: {} - name: com.github.openshift.api.config.v1.PKICertificateSubject map: fields: @@ -3142,16 +3142,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: vsphere type: namedType: com.github.openshift.api.config.v1.VSpherePlatformStatus -- name: com.github.openshift.api.config.v1.Policy - map: - fields: - - name: rootOfTrust - type: - namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust - default: {} - - name: signedIdentity - type: - namedType: com.github.openshift.api.config.v1.PolicyIdentity - name: com.github.openshift.api.config.v1.PolicyFulcioSubject map: fields: @@ -3206,17 +3196,17 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: fulcioCAWithRekor type: - namedType: com.github.openshift.api.config.v1.FulcioCAWithRekor + namedType: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust - name: pki type: - namedType: com.github.openshift.api.config.v1.PKI + namedType: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust - name: policyType type: scalar: string default: "" - name: publicKey type: - namedType: com.github.openshift.api.config.v1.PublicKey + namedType: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust unions: - discriminator: policyType fields: @@ -3401,15 +3391,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: noProxy type: scalar: string -- name: com.github.openshift.api.config.v1.PublicKey - map: - fields: - - name: keyData - type: - scalar: string - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1.RegistryLocation map: fields: @@ -4194,7 +4175,7 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1alpha1.Policy + namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -4292,19 +4273,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor - map: - fields: - - name: fulcioCAData - type: - scalar: string - - name: fulcioSubject - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject - default: {} - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1alpha1.GatherConfig map: fields: @@ -4341,12 +4309,47 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyStatus default: {} +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust + map: + fields: + - name: fulcioCAData + type: + scalar: string + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust + map: + fields: + - name: caIntermediatesData + type: + scalar: string + - name: caRootsData + type: + scalar: string + - name: pkiCertificateSubject + type: + namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject + default: {} +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust + map: + fields: + - name: keyData + type: + scalar: string + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.ImagePolicySpec map: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1alpha1.Policy + namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -4365,6 +4368,17 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - type +- name: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity + default: {} - name: com.github.openshift.api.config.v1alpha1.InsightsDataGather map: fields: @@ -4443,19 +4457,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: verbosity type: scalar: string -- name: com.github.openshift.api.config.v1alpha1.PKI - map: - fields: - - name: caIntermediatesData - type: - scalar: string - - name: caRootsData - type: - scalar: string - - name: pkiCertificateSubject - type: - namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject - default: {} - name: com.github.openshift.api.config.v1alpha1.PKICertificateSubject map: fields: @@ -4482,17 +4483,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: mountPath type: scalar: string -- name: com.github.openshift.api.config.v1alpha1.Policy - map: - fields: - - name: rootOfTrust - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust - default: {} - - name: signedIdentity - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity - default: {} - name: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject map: fields: @@ -4547,17 +4537,17 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: fulcioCAWithRekor type: - namedType: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust - name: pki type: - namedType: com.github.openshift.api.config.v1alpha1.PKI + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust - name: policyType type: scalar: string default: "" - name: publicKey type: - namedType: com.github.openshift.api.config.v1alpha1.PublicKey + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust unions: - discriminator: policyType fields: @@ -4567,15 +4557,6 @@ var schemaYAML = typed.YAMLObject(`types: discriminatorValue: PKI - fieldName: publicKey discriminatorValue: PublicKey -- name: com.github.openshift.api.config.v1alpha1.PublicKey - map: - fields: - - name: keyData - type: - scalar: string - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 7bf9f78816..99cad8e204 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -172,8 +172,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.FeatureGateSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FeatureGateStatus"): return &configv1.FeatureGateStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"): - return &configv1.FulcioCAWithRekorApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GatherConfig"): return &configv1.GatherConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GathererConfig"): @@ -224,10 +222,18 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ImageLabelApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImagePolicy"): return &configv1.ImagePolicyApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicyFulcioCAWithRekorRootOfTrust"): + return &configv1.ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicyPKIRootOfTrust"): + return &configv1.ImagePolicyPKIRootOfTrustApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicyPublicKeyRootOfTrust"): + return &configv1.ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImagePolicySpec"): return &configv1.ImagePolicySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImagePolicyStatus"): return &configv1.ImagePolicyStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImageSigstoreVerificationPolicy"): + return &configv1.ImageSigstoreVerificationPolicyApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImageSpec"): return &configv1.ImageSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImageStatus"): @@ -352,16 +358,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.PersistentVolumeClaimReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PersistentVolumeConfig"): return &configv1.PersistentVolumeConfigApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("PKI"): - return &configv1.PKIApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PKICertificateSubject"): return &configv1.PKICertificateSubjectApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PlatformSpec"): return &configv1.PlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PlatformStatus"): return &configv1.PlatformStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("Policy"): - return &configv1.PolicyApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PolicyFulcioSubject"): return &configv1.PolicyFulcioSubjectApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PolicyIdentity"): @@ -394,8 +396,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ProxySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ProxyStatus"): return &configv1.ProxyStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("PublicKey"): - return &configv1.PublicKeyApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("RegistryLocation"): return &configv1.RegistryLocationApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("RegistrySources"): @@ -496,16 +496,22 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.ContainerResourceApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("EtcdBackupSpec"): return &configv1alpha1.EtcdBackupSpecApplyConfiguration{} - case v1alpha1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"): - return &configv1alpha1.FulcioCAWithRekorApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("GatherConfig"): return &configv1alpha1.GatherConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicy"): return &configv1alpha1.ImagePolicyApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyFulcioCAWithRekorRootOfTrust"): + return &configv1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyPKIRootOfTrust"): + return &configv1alpha1.ImagePolicyPKIRootOfTrustApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyPublicKeyRootOfTrust"): + return &configv1alpha1.ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicySpec"): return &configv1alpha1.ImagePolicySpecApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyStatus"): return &configv1alpha1.ImagePolicyStatusApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ImageSigstoreVerificationPolicy"): + return &configv1alpha1.ImageSigstoreVerificationPolicyApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("InsightsDataGather"): return &configv1alpha1.InsightsDataGatherApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("InsightsDataGatherSpec"): @@ -516,12 +522,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.PersistentVolumeClaimReferenceApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("PersistentVolumeConfig"): return &configv1alpha1.PersistentVolumeConfigApplyConfiguration{} - case v1alpha1.SchemeGroupVersion.WithKind("PKI"): - return &configv1alpha1.PKIApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("PKICertificateSubject"): return &configv1alpha1.PKICertificateSubjectApplyConfiguration{} - case v1alpha1.SchemeGroupVersion.WithKind("Policy"): - return &configv1alpha1.PolicyApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("PolicyFulcioSubject"): return &configv1alpha1.PolicyFulcioSubjectApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("PolicyIdentity"): @@ -532,8 +534,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.PolicyMatchRemapIdentityApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("PolicyRootOfTrust"): return &configv1alpha1.PolicyRootOfTrustApplyConfiguration{} - case v1alpha1.SchemeGroupVersion.WithKind("PublicKey"): - return &configv1alpha1.PublicKeyApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("RetentionNumberConfig"): return &configv1alpha1.RetentionNumberConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("RetentionPolicy"): diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go index fa1a919079..490cb633ce 100644 --- a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go +++ b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go @@ -53,7 +53,7 @@ func (c *Config) hash() crypto.Hash { func (c *Config) encodedCount() uint8 { if c == nil || c.S2KCount == 0 { - return 96 // The common case. Correspoding to 65536 + return 96 // The common case. Corresponding to 65536 } i := c.S2KCount diff --git a/vendor/golang.org/x/net/context/context.go b/vendor/golang.org/x/net/context/context.go index db1c95fab1..24cea68820 100644 --- a/vendor/golang.org/x/net/context/context.go +++ b/vendor/golang.org/x/net/context/context.go @@ -2,44 +2,9 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package context defines the Context type, which carries deadlines, -// cancellation signals, and other request-scoped values across API boundaries -// and between processes. -// As of Go 1.7 this package is available in the standard library under the -// name [context], and migrating to it can be done automatically with [go fix]. -// -// Incoming requests to a server should create a [Context], and outgoing -// calls to servers should accept a Context. The chain of function -// calls between them must propagate the Context, optionally replacing -// it with a derived Context created using [WithCancel], [WithDeadline], -// [WithTimeout], or [WithValue]. -// -// Programs that use Contexts should follow these rules to keep interfaces -// consistent across packages and enable static analysis tools to check context -// propagation: -// -// Do not store Contexts inside a struct type; instead, pass a Context -// explicitly to each function that needs it. This is discussed further in -// https://go.dev/blog/context-and-structs. The Context should be the first -// parameter, typically named ctx: -// -// func DoSomething(ctx context.Context, arg Arg) error { -// // ... use ctx ... -// } -// -// Do not pass a nil [Context], even if a function permits it. Pass [context.TODO] -// if you are unsure about which Context to use. -// -// Use context Values only for request-scoped data that transits processes and -// APIs, not for passing optional parameters to functions. +// Package context has been superseded by the standard library [context] package. // -// The same Context may be passed to functions running in different goroutines; -// Contexts are safe for simultaneous use by multiple goroutines. -// -// See https://go.dev/blog/context for example code for a server that uses -// Contexts. -// -// [go fix]: https://go.dev/cmd/go#hdr-Update_packages_to_use_new_APIs +// Deprecated: Use the standard library context package instead. package context import ( @@ -51,36 +16,37 @@ import ( // API boundaries. // // Context's methods may be called by multiple goroutines simultaneously. +// +//go:fix inline type Context = context.Context // Canceled is the error returned by [Context.Err] when the context is canceled // for some reason other than its deadline passing. +// +//go:fix inline var Canceled = context.Canceled // DeadlineExceeded is the error returned by [Context.Err] when the context is canceled // due to its deadline passing. +// +//go:fix inline var DeadlineExceeded = context.DeadlineExceeded // Background returns a non-nil, empty Context. It is never canceled, has no // values, and has no deadline. It is typically used by the main function, // initialization, and tests, and as the top-level Context for incoming // requests. -func Background() Context { - return background -} +// +//go:fix inline +func Background() Context { return context.Background() } // TODO returns a non-nil, empty Context. Code should use context.TODO when // it's unclear which Context to use or it is not yet available (because the // surrounding function has not yet been extended to accept a Context // parameter). -func TODO() Context { - return todo -} - -var ( - background = context.Background() - todo = context.TODO() -) +// +//go:fix inline +func TODO() Context { return context.TODO() } // A CancelFunc tells an operation to abandon its work. // A CancelFunc does not wait for the work to stop. @@ -95,6 +61,8 @@ type CancelFunc = context.CancelFunc // // Canceling this context releases resources associated with it, so code should // call cancel as soon as the operations running in this [Context] complete. +// +//go:fix inline func WithCancel(parent Context) (ctx Context, cancel CancelFunc) { return context.WithCancel(parent) } @@ -108,6 +76,8 @@ func WithCancel(parent Context) (ctx Context, cancel CancelFunc) { // // Canceling this context releases resources associated with it, so code should // call cancel as soon as the operations running in this [Context] complete. +// +//go:fix inline func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) { return context.WithDeadline(parent, d) } @@ -122,6 +92,8 @@ func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) { // defer cancel() // releases resources if slowOperation completes before timeout elapses // return slowOperation(ctx) // } +// +//go:fix inline func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) { return context.WithTimeout(parent, timeout) } @@ -139,6 +111,8 @@ func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) { // interface{}, context keys often have concrete type // struct{}. Alternatively, exported context key variables' static // type should be a pointer or interface. +// +//go:fix inline func WithValue(parent Context, key, val interface{}) Context { return context.WithValue(parent, key, val) } diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go index 04c6bec210..12f2273706 100644 --- a/vendor/golang.org/x/net/html/escape.go +++ b/vendor/golang.org/x/net/html/escape.go @@ -299,7 +299,7 @@ func escape(w writer, s string) error { case '\r': esc = " " default: - panic("unrecognized escape character") + panic("html: unrecognized escape character") } s = s[i+1:] if _, err := w.WriteString(esc); err != nil { diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go index 518ee4c94e..88fc0056a3 100644 --- a/vendor/golang.org/x/net/html/parse.go +++ b/vendor/golang.org/x/net/html/parse.go @@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int { return -1 } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) } } switch s { @@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) { return } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) } } } @@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) { } if n.Type == ElementNode { - p.oe = append(p.oe, n) + p.insertOpenElement(n) + } +} + +func (p *parser) insertOpenElement(n *Node) { + p.oe = append(p.oe, n) + if len(p.oe) > 512 { + panic("html: open stack of elements exceeds 512 nodes") } } @@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool { p.im = inFramesetIM return true case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: - p.oe = append(p.oe, p.head) + p.insertOpenElement(p.head) defer p.oe.remove(p.head) return inHeadIM(p) case a.Head: @@ -1678,7 +1685,7 @@ func inTableBodyIM(p *parser) bool { return inTableIM(p) } -// Section 12.2.6.4.14. +// Section 13.2.6.4.14. func inRowIM(p *parser) bool { switch p.tok.Type { case StartTagToken: @@ -1690,7 +1697,9 @@ func inRowIM(p *parser) bool { p.im = inCellIM return true case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } @@ -1700,22 +1709,28 @@ func inRowIM(p *parser) bool { case EndTagToken: switch p.tok.DataAtom { case a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return true } // Ignore the token. return true case a.Table: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } // Ignore the token. return true case a.Tbody, a.Tfoot, a.Thead: - if p.elementInScope(tableScope, p.tok.DataAtom) { - p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) + if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() + p.im = inTableBodyIM return false } // Ignore the token. @@ -2222,16 +2237,20 @@ func parseForeignContent(p *parser) bool { p.acknowledgeSelfClosingTag() } case EndTagToken: + if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { + p.oe = p.oe[:len(p.oe)-1] + return true + } for i := len(p.oe) - 1; i >= 0; i-- { - if p.oe[i].Namespace == "" { - return p.im(p) - } if strings.EqualFold(p.oe[i].Data, p.tok.Data) { p.oe = p.oe[:i] + return true + } + if i > 0 && p.oe[i-1].Namespace == "" { break } } - return true + return p.im(p) default: // Ignore the token. } @@ -2312,9 +2331,13 @@ func (p *parser) parseCurrentToken() { } } -func (p *parser) parse() error { +func (p *parser) parse() (err error) { + defer func() { + if panicErr := recover(); panicErr != nil { + err = fmt.Errorf("%s", panicErr) + } + }() // Iterate until EOF. Any other error will cause an early return. - var err error for err != io.EOF { // CDATA sections are allowed only in foreign content. n := p.oe.top() @@ -2343,6 +2366,8 @@ func (p *parser) parse() error { // s. Conversely, explicit s in r's data can be silently dropped, // with no corresponding node in the resulting tree. // +// Parse will reject HTML that is nested deeper than 512 elements. +// // The input is assumed to be UTF-8 encoded. func Parse(r io.Reader) (*Node, error) { return ParseWithOptions(r) diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go index e8c1233455..0157d89e1f 100644 --- a/vendor/golang.org/x/net/html/render.go +++ b/vendor/golang.org/x/net/html/render.go @@ -184,7 +184,7 @@ func render1(w writer, n *Node) error { return err } - // Add initial newline where there is danger of a newline beging ignored. + // Add initial newline where there is danger of a newline being ignored. if c := n.FirstChild; c != nil && c.Type == TextNode && strings.HasPrefix(c.Data, "\n") { switch n.Data { case "pre", "listing", "textarea": diff --git a/vendor/golang.org/x/net/http2/config.go b/vendor/golang.org/x/net/http2/config.go index ca645d9a1a..8a7a89d016 100644 --- a/vendor/golang.org/x/net/http2/config.go +++ b/vendor/golang.org/x/net/http2/config.go @@ -27,6 +27,7 @@ import ( // - If the resulting value is zero or out of range, use a default. type http2Config struct { MaxConcurrentStreams uint32 + StrictMaxConcurrentRequests bool MaxDecoderHeaderTableSize uint32 MaxEncoderHeaderTableSize uint32 MaxReadFrameSize uint32 @@ -55,7 +56,7 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config { PermitProhibitedCipherSuites: h2.PermitProhibitedCipherSuites, CountError: h2.CountError, } - fillNetHTTPServerConfig(&conf, h1) + fillNetHTTPConfig(&conf, h1.HTTP2) setConfigDefaults(&conf, true) return conf } @@ -64,12 +65,13 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config { // (the net/http Transport). func configFromTransport(h2 *Transport) http2Config { conf := http2Config{ - MaxEncoderHeaderTableSize: h2.MaxEncoderHeaderTableSize, - MaxDecoderHeaderTableSize: h2.MaxDecoderHeaderTableSize, - MaxReadFrameSize: h2.MaxReadFrameSize, - SendPingTimeout: h2.ReadIdleTimeout, - PingTimeout: h2.PingTimeout, - WriteByteTimeout: h2.WriteByteTimeout, + StrictMaxConcurrentRequests: h2.StrictMaxConcurrentStreams, + MaxEncoderHeaderTableSize: h2.MaxEncoderHeaderTableSize, + MaxDecoderHeaderTableSize: h2.MaxDecoderHeaderTableSize, + MaxReadFrameSize: h2.MaxReadFrameSize, + SendPingTimeout: h2.ReadIdleTimeout, + PingTimeout: h2.PingTimeout, + WriteByteTimeout: h2.WriteByteTimeout, } // Unlike most config fields, where out-of-range values revert to the default, @@ -81,7 +83,7 @@ func configFromTransport(h2 *Transport) http2Config { } if h2.t1 != nil { - fillNetHTTPTransportConfig(&conf, h2.t1) + fillNetHTTPConfig(&conf, h2.t1.HTTP2) } setConfigDefaults(&conf, false) return conf @@ -120,3 +122,48 @@ func adjustHTTP1MaxHeaderSize(n int64) int64 { const typicalHeaders = 10 // conservative return n + typicalHeaders*perFieldOverhead } + +func fillNetHTTPConfig(conf *http2Config, h2 *http.HTTP2Config) { + if h2 == nil { + return + } + if h2.MaxConcurrentStreams != 0 { + conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams) + } + if http2ConfigStrictMaxConcurrentRequests(h2) { + conf.StrictMaxConcurrentRequests = true + } + if h2.MaxEncoderHeaderTableSize != 0 { + conf.MaxEncoderHeaderTableSize = uint32(h2.MaxEncoderHeaderTableSize) + } + if h2.MaxDecoderHeaderTableSize != 0 { + conf.MaxDecoderHeaderTableSize = uint32(h2.MaxDecoderHeaderTableSize) + } + if h2.MaxConcurrentStreams != 0 { + conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams) + } + if h2.MaxReadFrameSize != 0 { + conf.MaxReadFrameSize = uint32(h2.MaxReadFrameSize) + } + if h2.MaxReceiveBufferPerConnection != 0 { + conf.MaxUploadBufferPerConnection = int32(h2.MaxReceiveBufferPerConnection) + } + if h2.MaxReceiveBufferPerStream != 0 { + conf.MaxUploadBufferPerStream = int32(h2.MaxReceiveBufferPerStream) + } + if h2.SendPingTimeout != 0 { + conf.SendPingTimeout = h2.SendPingTimeout + } + if h2.PingTimeout != 0 { + conf.PingTimeout = h2.PingTimeout + } + if h2.WriteByteTimeout != 0 { + conf.WriteByteTimeout = h2.WriteByteTimeout + } + if h2.PermitProhibitedCipherSuites { + conf.PermitProhibitedCipherSuites = true + } + if h2.CountError != nil { + conf.CountError = h2.CountError + } +} diff --git a/vendor/golang.org/x/net/http2/config_go124.go b/vendor/golang.org/x/net/http2/config_go124.go deleted file mode 100644 index 5b516c55ff..0000000000 --- a/vendor/golang.org/x/net/http2/config_go124.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build go1.24 - -package http2 - -import "net/http" - -// fillNetHTTPServerConfig sets fields in conf from srv.HTTP2. -func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) { - fillNetHTTPConfig(conf, srv.HTTP2) -} - -// fillNetHTTPTransportConfig sets fields in conf from tr.HTTP2. -func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) { - fillNetHTTPConfig(conf, tr.HTTP2) -} - -func fillNetHTTPConfig(conf *http2Config, h2 *http.HTTP2Config) { - if h2 == nil { - return - } - if h2.MaxConcurrentStreams != 0 { - conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams) - } - if h2.MaxEncoderHeaderTableSize != 0 { - conf.MaxEncoderHeaderTableSize = uint32(h2.MaxEncoderHeaderTableSize) - } - if h2.MaxDecoderHeaderTableSize != 0 { - conf.MaxDecoderHeaderTableSize = uint32(h2.MaxDecoderHeaderTableSize) - } - if h2.MaxConcurrentStreams != 0 { - conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams) - } - if h2.MaxReadFrameSize != 0 { - conf.MaxReadFrameSize = uint32(h2.MaxReadFrameSize) - } - if h2.MaxReceiveBufferPerConnection != 0 { - conf.MaxUploadBufferPerConnection = int32(h2.MaxReceiveBufferPerConnection) - } - if h2.MaxReceiveBufferPerStream != 0 { - conf.MaxUploadBufferPerStream = int32(h2.MaxReceiveBufferPerStream) - } - if h2.SendPingTimeout != 0 { - conf.SendPingTimeout = h2.SendPingTimeout - } - if h2.PingTimeout != 0 { - conf.PingTimeout = h2.PingTimeout - } - if h2.WriteByteTimeout != 0 { - conf.WriteByteTimeout = h2.WriteByteTimeout - } - if h2.PermitProhibitedCipherSuites { - conf.PermitProhibitedCipherSuites = true - } - if h2.CountError != nil { - conf.CountError = h2.CountError - } -} diff --git a/vendor/golang.org/x/net/http2/config_go125.go b/vendor/golang.org/x/net/http2/config_go125.go new file mode 100644 index 0000000000..b4373fe33c --- /dev/null +++ b/vendor/golang.org/x/net/http2/config_go125.go @@ -0,0 +1,15 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !go1.26 + +package http2 + +import ( + "net/http" +) + +func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool { + return false +} diff --git a/vendor/golang.org/x/net/http2/config_go126.go b/vendor/golang.org/x/net/http2/config_go126.go new file mode 100644 index 0000000000..6b071c149d --- /dev/null +++ b/vendor/golang.org/x/net/http2/config_go126.go @@ -0,0 +1,15 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build go1.26 + +package http2 + +import ( + "net/http" +) + +func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool { + return h2.StrictMaxConcurrentRequests +} diff --git a/vendor/golang.org/x/net/http2/config_pre_go124.go b/vendor/golang.org/x/net/http2/config_pre_go124.go deleted file mode 100644 index 060fd6c64c..0000000000 --- a/vendor/golang.org/x/net/http2/config_pre_go124.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !go1.24 - -package http2 - -import "net/http" - -// Pre-Go 1.24 fallback. -// The Server.HTTP2 and Transport.HTTP2 config fields were added in Go 1.24. - -func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) {} - -func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) {} diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go index db3264da8c..9a4bd123c9 100644 --- a/vendor/golang.org/x/net/http2/frame.go +++ b/vendor/golang.org/x/net/http2/frame.go @@ -280,6 +280,8 @@ type Framer struct { // lastHeaderStream is non-zero if the last frame was an // unfinished HEADERS/CONTINUATION. lastHeaderStream uint32 + // lastFrameType holds the type of the last frame for verifying frame order. + lastFrameType FrameType maxReadSize uint32 headerBuf [frameHeaderLen]byte @@ -347,7 +349,7 @@ func (fr *Framer) maxHeaderListSize() uint32 { func (f *Framer) startWrite(ftype FrameType, flags Flags, streamID uint32) { // Write the FrameHeader. f.wbuf = append(f.wbuf[:0], - 0, // 3 bytes of length, filled in in endWrite + 0, // 3 bytes of length, filled in endWrite 0, 0, byte(ftype), @@ -488,30 +490,41 @@ func terminalReadFrameError(err error) bool { return err != nil } -// ReadFrame reads a single frame. The returned Frame is only valid -// until the next call to ReadFrame. +// ReadFrameHeader reads the header of the next frame. +// It reads the 9-byte fixed frame header, and does not read any portion of the +// frame payload. The caller is responsible for consuming the payload, either +// with ReadFrameForHeader or directly from the Framer's io.Reader. // -// If the frame is larger than previously set with SetMaxReadFrameSize, the -// returned error is ErrFrameTooLarge. Other errors may be of type -// ConnectionError, StreamError, or anything else from the underlying -// reader. +// If the frame is larger than previously set with SetMaxReadFrameSize, it +// returns the frame header and ErrFrameTooLarge. // -// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID -// indicates the stream responsible for the error. -func (fr *Framer) ReadFrame() (Frame, error) { +// If the returned FrameHeader.StreamID is non-zero, it indicates the stream +// responsible for the error. +func (fr *Framer) ReadFrameHeader() (FrameHeader, error) { fr.errDetail = nil - if fr.lastFrame != nil { - fr.lastFrame.invalidate() - } fh, err := readFrameHeader(fr.headerBuf[:], fr.r) if err != nil { - return nil, err + return fh, err } if fh.Length > fr.maxReadSize { if fh == invalidHTTP1LookingFrameHeader() { - return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge) + return fh, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge) } - return nil, ErrFrameTooLarge + return fh, ErrFrameTooLarge + } + if err := fr.checkFrameOrder(fh); err != nil { + return fh, err + } + return fh, nil +} + +// ReadFrameForHeader reads the payload for the frame with the given FrameHeader. +// +// It behaves identically to ReadFrame, other than not checking the maximum +// frame size. +func (fr *Framer) ReadFrameForHeader(fh FrameHeader) (Frame, error) { + if fr.lastFrame != nil { + fr.lastFrame.invalidate() } payload := fr.getReadBuf(fh.Length) if _, err := io.ReadFull(fr.r, payload); err != nil { @@ -527,9 +540,7 @@ func (fr *Framer) ReadFrame() (Frame, error) { } return nil, err } - if err := fr.checkFrameOrder(f); err != nil { - return nil, err - } + fr.lastFrame = f if fr.logReads { fr.debugReadLoggerf("http2: Framer %p: read %v", fr, summarizeFrame(f)) } @@ -539,6 +550,24 @@ func (fr *Framer) ReadFrame() (Frame, error) { return f, nil } +// ReadFrame reads a single frame. The returned Frame is only valid +// until the next call to ReadFrame or ReadFrameBodyForHeader. +// +// If the frame is larger than previously set with SetMaxReadFrameSize, the +// returned error is ErrFrameTooLarge. Other errors may be of type +// ConnectionError, StreamError, or anything else from the underlying +// reader. +// +// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID +// indicates the stream responsible for the error. +func (fr *Framer) ReadFrame() (Frame, error) { + fh, err := fr.ReadFrameHeader() + if err != nil { + return nil, err + } + return fr.ReadFrameForHeader(fh) +} + // connError returns ConnectionError(code) but first // stashes away a public reason to the caller can optionally relay it // to the peer before hanging up on them. This might help others debug @@ -551,20 +580,19 @@ func (fr *Framer) connError(code ErrCode, reason string) error { // checkFrameOrder reports an error if f is an invalid frame to return // next from ReadFrame. Mostly it checks whether HEADERS and // CONTINUATION frames are contiguous. -func (fr *Framer) checkFrameOrder(f Frame) error { - last := fr.lastFrame - fr.lastFrame = f +func (fr *Framer) checkFrameOrder(fh FrameHeader) error { + lastType := fr.lastFrameType + fr.lastFrameType = fh.Type if fr.AllowIllegalReads { return nil } - fh := f.Header() if fr.lastHeaderStream != 0 { if fh.Type != FrameContinuation { return fr.connError(ErrCodeProtocol, fmt.Sprintf("got %s for stream %d; expected CONTINUATION following %s for stream %d", fh.Type, fh.StreamID, - last.Header().Type, fr.lastHeaderStream)) + lastType, fr.lastHeaderStream)) } if fh.StreamID != fr.lastHeaderStream { return fr.connError(ErrCodeProtocol, @@ -1152,7 +1180,16 @@ type PriorityFrame struct { PriorityParam } -// PriorityParam are the stream prioritzation parameters. +var defaultRFC9218Priority = PriorityParam{ + incremental: 0, + urgency: 3, +} + +// Note that HTTP/2 has had two different prioritization schemes, and +// PriorityParam struct below is a superset of both schemes. The exported +// symbols are from RFC 7540 and the non-exported ones are from RFC 9218. + +// PriorityParam are the stream prioritization parameters. type PriorityParam struct { // StreamDep is a 31-bit stream identifier for the // stream that this stream depends on. Zero means no @@ -1167,6 +1204,20 @@ type PriorityParam struct { // the spec, "Add one to the value to obtain a weight between // 1 and 256." Weight uint8 + + // "The urgency (u) parameter value is Integer (see Section 3.3.1 of + // [STRUCTURED-FIELDS]), between 0 and 7 inclusive, in descending order of + // priority. The default is 3." + urgency uint8 + + // "The incremental (i) parameter value is Boolean (see Section 3.3.6 of + // [STRUCTURED-FIELDS]). It indicates if an HTTP response can be processed + // incrementally, i.e., provide some meaningful output as chunks of the + // response arrive." + // + // We use uint8 (i.e. 0 is false, 1 is true) instead of bool so we can + // avoid unnecessary type conversions and because either type takes 1 byte. + incremental uint8 } func (p PriorityParam) IsZero() bool { diff --git a/vendor/golang.org/x/net/http2/gotrack.go b/vendor/golang.org/x/net/http2/gotrack.go index 9933c9f8c7..9921ca096d 100644 --- a/vendor/golang.org/x/net/http2/gotrack.go +++ b/vendor/golang.org/x/net/http2/gotrack.go @@ -15,21 +15,32 @@ import ( "runtime" "strconv" "sync" + "sync/atomic" ) var DebugGoroutines = os.Getenv("DEBUG_HTTP2_GOROUTINES") == "1" +// Setting DebugGoroutines to false during a test to disable goroutine debugging +// results in race detector complaints when a test leaves goroutines running before +// returning. Tests shouldn't do this, of course, but when they do it generally shows +// up as infrequent, hard-to-debug flakes. (See #66519.) +// +// Disable goroutine debugging during individual tests with an atomic bool. +// (Note that it's safe to enable/disable debugging mid-test, so the actual race condition +// here is harmless.) +var disableDebugGoroutines atomic.Bool + type goroutineLock uint64 func newGoroutineLock() goroutineLock { - if !DebugGoroutines { + if !DebugGoroutines || disableDebugGoroutines.Load() { return 0 } return goroutineLock(curGoroutineID()) } func (g goroutineLock) check() { - if !DebugGoroutines { + if !DebugGoroutines || disableDebugGoroutines.Load() { return } if curGoroutineID() != uint64(g) { @@ -38,7 +49,7 @@ func (g goroutineLock) check() { } func (g goroutineLock) checkNotOn() { - if !DebugGoroutines { + if !DebugGoroutines || disableDebugGoroutines.Load() { return } if curGoroutineID() == uint64(g) { diff --git a/vendor/golang.org/x/net/http2/http2.go b/vendor/golang.org/x/net/http2/http2.go index ea5ae629fd..105fe12fef 100644 --- a/vendor/golang.org/x/net/http2/http2.go +++ b/vendor/golang.org/x/net/http2/http2.go @@ -15,7 +15,6 @@ package http2 // import "golang.org/x/net/http2" import ( "bufio" - "context" "crypto/tls" "errors" "fmt" @@ -35,7 +34,6 @@ var ( VerboseLogs bool logFrameWrites bool logFrameReads bool - inTests bool // Enabling extended CONNECT by causes browsers to attempt to use // WebSockets-over-HTTP/2. This results in problems when the server's websocket @@ -255,15 +253,13 @@ func (cw closeWaiter) Wait() { // idle memory usage with many connections. type bufferedWriter struct { _ incomparable - group synctestGroupInterface // immutable - conn net.Conn // immutable - bw *bufio.Writer // non-nil when data is buffered - byteTimeout time.Duration // immutable, WriteByteTimeout + conn net.Conn // immutable + bw *bufio.Writer // non-nil when data is buffered + byteTimeout time.Duration // immutable, WriteByteTimeout } -func newBufferedWriter(group synctestGroupInterface, conn net.Conn, timeout time.Duration) *bufferedWriter { +func newBufferedWriter(conn net.Conn, timeout time.Duration) *bufferedWriter { return &bufferedWriter{ - group: group, conn: conn, byteTimeout: timeout, } @@ -314,24 +310,18 @@ func (w *bufferedWriter) Flush() error { type bufferedWriterTimeoutWriter bufferedWriter func (w *bufferedWriterTimeoutWriter) Write(p []byte) (n int, err error) { - return writeWithByteTimeout(w.group, w.conn, w.byteTimeout, p) + return writeWithByteTimeout(w.conn, w.byteTimeout, p) } // writeWithByteTimeout writes to conn. // If more than timeout passes without any bytes being written to the connection, // the write fails. -func writeWithByteTimeout(group synctestGroupInterface, conn net.Conn, timeout time.Duration, p []byte) (n int, err error) { +func writeWithByteTimeout(conn net.Conn, timeout time.Duration, p []byte) (n int, err error) { if timeout <= 0 { return conn.Write(p) } for { - var now time.Time - if group == nil { - now = time.Now() - } else { - now = group.Now() - } - conn.SetWriteDeadline(now.Add(timeout)) + conn.SetWriteDeadline(time.Now().Add(timeout)) nn, err := conn.Write(p[n:]) n += nn if n == len(p) || nn == 0 || !errors.Is(err, os.ErrDeadlineExceeded) { @@ -417,14 +407,3 @@ func (s *sorter) SortStrings(ss []string) { // makes that struct also non-comparable, and generally doesn't add // any size (as long as it's first). type incomparable [0]func() - -// synctestGroupInterface is the methods of synctestGroup used by Server and Transport. -// It's defined as an interface here to let us keep synctestGroup entirely test-only -// and not a part of non-test builds. -type synctestGroupInterface interface { - Join() - Now() time.Time - NewTimer(d time.Duration) timer - AfterFunc(d time.Duration, f func()) timer - ContextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc) -} diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go index 51fca38f61..bdc5520ebd 100644 --- a/vendor/golang.org/x/net/http2/server.go +++ b/vendor/golang.org/x/net/http2/server.go @@ -176,44 +176,15 @@ type Server struct { // so that we don't embed a Mutex in this struct, which will make the // struct non-copyable, which might break some callers. state *serverInternalState - - // Synchronization group used for testing. - // Outside of tests, this is nil. - group synctestGroupInterface -} - -func (s *Server) markNewGoroutine() { - if s.group != nil { - s.group.Join() - } -} - -func (s *Server) now() time.Time { - if s.group != nil { - return s.group.Now() - } - return time.Now() -} - -// newTimer creates a new time.Timer, or a synthetic timer in tests. -func (s *Server) newTimer(d time.Duration) timer { - if s.group != nil { - return s.group.NewTimer(d) - } - return timeTimer{time.NewTimer(d)} -} - -// afterFunc creates a new time.AfterFunc timer, or a synthetic timer in tests. -func (s *Server) afterFunc(d time.Duration, f func()) timer { - if s.group != nil { - return s.group.AfterFunc(d, f) - } - return timeTimer{time.AfterFunc(d, f)} } type serverInternalState struct { mu sync.Mutex activeConns map[*serverConn]struct{} + + // Pool of error channels. This is per-Server rather than global + // because channels can't be reused across synctest bubbles. + errChanPool sync.Pool } func (s *serverInternalState) registerConn(sc *serverConn) { @@ -245,6 +216,27 @@ func (s *serverInternalState) startGracefulShutdown() { s.mu.Unlock() } +// Global error channel pool used for uninitialized Servers. +// We use a per-Server pool when possible to avoid using channels across synctest bubbles. +var errChanPool = sync.Pool{ + New: func() any { return make(chan error, 1) }, +} + +func (s *serverInternalState) getErrChan() chan error { + if s == nil { + return errChanPool.Get().(chan error) // Server used without calling ConfigureServer + } + return s.errChanPool.Get().(chan error) +} + +func (s *serverInternalState) putErrChan(ch chan error) { + if s == nil { + errChanPool.Put(ch) // Server used without calling ConfigureServer + return + } + s.errChanPool.Put(ch) +} + // ConfigureServer adds HTTP/2 support to a net/http Server. // // The configuration conf may be nil. @@ -257,7 +249,10 @@ func ConfigureServer(s *http.Server, conf *Server) error { if conf == nil { conf = new(Server) } - conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})} + conf.state = &serverInternalState{ + activeConns: make(map[*serverConn]struct{}), + errChanPool: sync.Pool{New: func() any { return make(chan error, 1) }}, + } if h1, h2 := s, conf; h2.IdleTimeout == 0 { if h1.IdleTimeout != 0 { h2.IdleTimeout = h1.IdleTimeout @@ -423,6 +418,9 @@ func (o *ServeConnOpts) handler() http.Handler { // // The opts parameter is optional. If nil, default values are used. func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) { + if opts == nil { + opts = &ServeConnOpts{} + } s.serveConn(c, opts, nil) } @@ -438,7 +436,7 @@ func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverCon conn: c, baseCtx: baseCtx, remoteAddrStr: c.RemoteAddr().String(), - bw: newBufferedWriter(s.group, c, conf.WriteByteTimeout), + bw: newBufferedWriter(c, conf.WriteByteTimeout), handler: opts.handler(), streams: make(map[uint32]*stream), readFrameCh: make(chan readFrameResult), @@ -638,11 +636,11 @@ type serverConn struct { pingSent bool sentPingData [8]byte goAwayCode ErrCode - shutdownTimer timer // nil until used - idleTimer timer // nil if unused + shutdownTimer *time.Timer // nil until used + idleTimer *time.Timer // nil if unused readIdleTimeout time.Duration pingTimeout time.Duration - readIdleTimer timer // nil if unused + readIdleTimer *time.Timer // nil if unused // Owned by the writeFrameAsync goroutine: headerWriteBuf bytes.Buffer @@ -687,12 +685,12 @@ type stream struct { flow outflow // limits writing from Handler to client inflow inflow // what the client is allowed to POST/etc to us state streamState - resetQueued bool // RST_STREAM queued for write; set by sc.resetStream - gotTrailerHeader bool // HEADER frame for trailers was seen - wroteHeaders bool // whether we wrote headers (not status 100) - readDeadline timer // nil if unused - writeDeadline timer // nil if unused - closeErr error // set before cw is closed + resetQueued bool // RST_STREAM queued for write; set by sc.resetStream + gotTrailerHeader bool // HEADER frame for trailers was seen + wroteHeaders bool // whether we wrote headers (not status 100) + readDeadline *time.Timer // nil if unused + writeDeadline *time.Timer // nil if unused + closeErr error // set before cw is closed trailer http.Header // accumulated trailers reqTrailer http.Header // handler's Request.Trailer @@ -848,7 +846,6 @@ type readFrameResult struct { // consumer is done with the frame. // It's run on its own goroutine. func (sc *serverConn) readFrames() { - sc.srv.markNewGoroutine() gate := make(chan struct{}) gateDone := func() { gate <- struct{}{} } for { @@ -881,7 +878,6 @@ type frameWriteResult struct { // At most one goroutine can be running writeFrameAsync at a time per // serverConn. func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) { - sc.srv.markNewGoroutine() var err error if wd == nil { err = wr.write.writeFrame(sc) @@ -965,22 +961,22 @@ func (sc *serverConn) serve(conf http2Config) { sc.setConnState(http.StateIdle) if sc.srv.IdleTimeout > 0 { - sc.idleTimer = sc.srv.afterFunc(sc.srv.IdleTimeout, sc.onIdleTimer) + sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer) defer sc.idleTimer.Stop() } if conf.SendPingTimeout > 0 { sc.readIdleTimeout = conf.SendPingTimeout - sc.readIdleTimer = sc.srv.afterFunc(conf.SendPingTimeout, sc.onReadIdleTimer) + sc.readIdleTimer = time.AfterFunc(conf.SendPingTimeout, sc.onReadIdleTimer) defer sc.readIdleTimer.Stop() } go sc.readFrames() // closed by defer sc.conn.Close above - settingsTimer := sc.srv.afterFunc(firstSettingsTimeout, sc.onSettingsTimer) + settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer) defer settingsTimer.Stop() - lastFrameTime := sc.srv.now() + lastFrameTime := time.Now() loopNum := 0 for { loopNum++ @@ -994,7 +990,7 @@ func (sc *serverConn) serve(conf http2Config) { case res := <-sc.wroteFrameCh: sc.wroteFrame(res) case res := <-sc.readFrameCh: - lastFrameTime = sc.srv.now() + lastFrameTime = time.Now() // Process any written frames before reading new frames from the client since a // written frame could have triggered a new stream to be started. if sc.writingFrameAsync { @@ -1077,7 +1073,7 @@ func (sc *serverConn) handlePingTimer(lastFrameReadTime time.Time) { } pingAt := lastFrameReadTime.Add(sc.readIdleTimeout) - now := sc.srv.now() + now := time.Now() if pingAt.After(now) { // We received frames since arming the ping timer. // Reset it for the next possible timeout. @@ -1141,10 +1137,10 @@ func (sc *serverConn) readPreface() error { errc <- nil } }() - timer := sc.srv.newTimer(prefaceTimeout) // TODO: configurable on *Server? + timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server? defer timer.Stop() select { - case <-timer.C(): + case <-timer.C: return errPrefaceTimeout case err := <-errc: if err == nil { @@ -1156,10 +1152,6 @@ func (sc *serverConn) readPreface() error { } } -var errChanPool = sync.Pool{ - New: func() interface{} { return make(chan error, 1) }, -} - var writeDataPool = sync.Pool{ New: func() interface{} { return new(writeData) }, } @@ -1167,7 +1159,7 @@ var writeDataPool = sync.Pool{ // writeDataFromHandler writes DATA response frames from a handler on // the given stream. func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error { - ch := errChanPool.Get().(chan error) + ch := sc.srv.state.getErrChan() writeArg := writeDataPool.Get().(*writeData) *writeArg = writeData{stream.id, data, endStream} err := sc.writeFrameFromHandler(FrameWriteRequest{ @@ -1199,7 +1191,7 @@ func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStrea return errStreamClosed } } - errChanPool.Put(ch) + sc.srv.state.putErrChan(ch) if frameWriteDone { writeDataPool.Put(writeArg) } @@ -1513,7 +1505,7 @@ func (sc *serverConn) goAway(code ErrCode) { func (sc *serverConn) shutDownIn(d time.Duration) { sc.serveG.check() - sc.shutdownTimer = sc.srv.afterFunc(d, sc.onShutdownTimer) + sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer) } func (sc *serverConn) resetStream(se StreamError) { @@ -2118,7 +2110,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { // (in Go 1.8), though. That's a more sane option anyway. if sc.hs.ReadTimeout > 0 { sc.conn.SetReadDeadline(time.Time{}) - st.readDeadline = sc.srv.afterFunc(sc.hs.ReadTimeout, st.onReadTimeout) + st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout) } return sc.scheduleHandler(id, rw, req, handler) @@ -2216,7 +2208,7 @@ func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream st.flow.add(sc.initialStreamSendWindowSize) st.inflow.init(sc.initialStreamRecvWindowSize) if sc.hs.WriteTimeout > 0 { - st.writeDeadline = sc.srv.afterFunc(sc.hs.WriteTimeout, st.onWriteTimeout) + st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout) } sc.streams[id] = st @@ -2405,7 +2397,6 @@ func (sc *serverConn) handlerDone() { // Run on its own goroutine. func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { - sc.srv.markNewGoroutine() defer sc.sendServeMsg(handlerDoneMsg) didPanic := true defer func() { @@ -2454,7 +2445,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro // waiting for this frame to be written, so an http.Flush mid-handler // writes out the correct value of keys, before a handler later potentially // mutates it. - errc = errChanPool.Get().(chan error) + errc = sc.srv.state.getErrChan() } if err := sc.writeFrameFromHandler(FrameWriteRequest{ write: headerData, @@ -2466,7 +2457,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro if errc != nil { select { case err := <-errc: - errChanPool.Put(errc) + sc.srv.state.putErrChan(errc) return err case <-sc.doneServing: return errClientDisconnected @@ -2573,7 +2564,7 @@ func (b *requestBody) Read(p []byte) (n int, err error) { if err == io.EOF { b.sawEOF = true } - if b.conn == nil && inTests { + if b.conn == nil { return } b.conn.noteBodyReadFromHandler(b.stream, n, err) @@ -2702,7 +2693,7 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { var date string if _, ok := rws.snapHeader["Date"]; !ok { // TODO(bradfitz): be faster here, like net/http? measure. - date = rws.conn.srv.now().UTC().Format(http.TimeFormat) + date = time.Now().UTC().Format(http.TimeFormat) } for _, v := range rws.snapHeader["Trailer"] { @@ -2824,7 +2815,7 @@ func (rws *responseWriterState) promoteUndeclaredTrailers() { func (w *responseWriter) SetReadDeadline(deadline time.Time) error { st := w.rws.stream - if !deadline.IsZero() && deadline.Before(w.rws.conn.srv.now()) { + if !deadline.IsZero() && deadline.Before(time.Now()) { // If we're setting a deadline in the past, reset the stream immediately // so writes after SetWriteDeadline returns will fail. st.onReadTimeout() @@ -2840,9 +2831,9 @@ func (w *responseWriter) SetReadDeadline(deadline time.Time) error { if deadline.IsZero() { st.readDeadline = nil } else if st.readDeadline == nil { - st.readDeadline = sc.srv.afterFunc(deadline.Sub(sc.srv.now()), st.onReadTimeout) + st.readDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onReadTimeout) } else { - st.readDeadline.Reset(deadline.Sub(sc.srv.now())) + st.readDeadline.Reset(deadline.Sub(time.Now())) } }) return nil @@ -2850,7 +2841,7 @@ func (w *responseWriter) SetReadDeadline(deadline time.Time) error { func (w *responseWriter) SetWriteDeadline(deadline time.Time) error { st := w.rws.stream - if !deadline.IsZero() && deadline.Before(w.rws.conn.srv.now()) { + if !deadline.IsZero() && deadline.Before(time.Now()) { // If we're setting a deadline in the past, reset the stream immediately // so writes after SetWriteDeadline returns will fail. st.onWriteTimeout() @@ -2866,9 +2857,9 @@ func (w *responseWriter) SetWriteDeadline(deadline time.Time) error { if deadline.IsZero() { st.writeDeadline = nil } else if st.writeDeadline == nil { - st.writeDeadline = sc.srv.afterFunc(deadline.Sub(sc.srv.now()), st.onWriteTimeout) + st.writeDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onWriteTimeout) } else { - st.writeDeadline.Reset(deadline.Sub(sc.srv.now())) + st.writeDeadline.Reset(deadline.Sub(time.Now())) } }) return nil @@ -3147,7 +3138,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error { method: opts.Method, url: u, header: cloneHeader(opts.Header), - done: errChanPool.Get().(chan error), + done: sc.srv.state.getErrChan(), } select { @@ -3164,7 +3155,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error { case <-st.cw: return errStreamClosed case err := <-msg.done: - errChanPool.Put(msg.done) + sc.srv.state.putErrChan(msg.done) return err } } diff --git a/vendor/golang.org/x/net/http2/timer.go b/vendor/golang.org/x/net/http2/timer.go deleted file mode 100644 index 0b1c17b812..0000000000 --- a/vendor/golang.org/x/net/http2/timer.go +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. -package http2 - -import "time" - -// A timer is a time.Timer, as an interface which can be replaced in tests. -type timer = interface { - C() <-chan time.Time - Reset(d time.Duration) bool - Stop() bool -} - -// timeTimer adapts a time.Timer to the timer interface. -type timeTimer struct { - *time.Timer -} - -func (t timeTimer) C() <-chan time.Time { return t.Timer.C } diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go index f26356b9cd..1965913e54 100644 --- a/vendor/golang.org/x/net/http2/transport.go +++ b/vendor/golang.org/x/net/http2/transport.go @@ -9,6 +9,7 @@ package http2 import ( "bufio" "bytes" + "compress/flate" "compress/gzip" "context" "crypto/rand" @@ -193,50 +194,6 @@ type Transport struct { type transportTestHooks struct { newclientconn func(*ClientConn) - group synctestGroupInterface -} - -func (t *Transport) markNewGoroutine() { - if t != nil && t.transportTestHooks != nil { - t.transportTestHooks.group.Join() - } -} - -func (t *Transport) now() time.Time { - if t != nil && t.transportTestHooks != nil { - return t.transportTestHooks.group.Now() - } - return time.Now() -} - -func (t *Transport) timeSince(when time.Time) time.Duration { - if t != nil && t.transportTestHooks != nil { - return t.now().Sub(when) - } - return time.Since(when) -} - -// newTimer creates a new time.Timer, or a synthetic timer in tests. -func (t *Transport) newTimer(d time.Duration) timer { - if t.transportTestHooks != nil { - return t.transportTestHooks.group.NewTimer(d) - } - return timeTimer{time.NewTimer(d)} -} - -// afterFunc creates a new time.AfterFunc timer, or a synthetic timer in tests. -func (t *Transport) afterFunc(d time.Duration, f func()) timer { - if t.transportTestHooks != nil { - return t.transportTestHooks.group.AfterFunc(d, f) - } - return timeTimer{time.AfterFunc(d, f)} -} - -func (t *Transport) contextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc) { - if t.transportTestHooks != nil { - return t.transportTestHooks.group.ContextWithTimeout(ctx, d) - } - return context.WithTimeout(ctx, d) } func (t *Transport) maxHeaderListSize() uint32 { @@ -366,7 +323,7 @@ type ClientConn struct { readerErr error // set before readerDone is closed idleTimeout time.Duration // or 0 for never - idleTimer timer + idleTimer *time.Timer mu sync.Mutex // guards following cond *sync.Cond // hold mu; broadcast on flow/closed changes @@ -399,6 +356,7 @@ type ClientConn struct { readIdleTimeout time.Duration pingTimeout time.Duration extendedConnectAllowed bool + strictMaxConcurrentStreams bool // rstStreamPingsBlocked works around an unfortunate gRPC behavior. // gRPC strictly limits the number of PING frames that it will receive. @@ -534,14 +492,12 @@ func (cs *clientStream) closeReqBodyLocked() { cs.reqBodyClosed = make(chan struct{}) reqBodyClosed := cs.reqBodyClosed go func() { - cs.cc.t.markNewGoroutine() cs.reqBody.Close() close(reqBodyClosed) }() } type stickyErrWriter struct { - group synctestGroupInterface conn net.Conn timeout time.Duration err *error @@ -551,7 +507,7 @@ func (sew stickyErrWriter) Write(p []byte) (n int, err error) { if *sew.err != nil { return 0, *sew.err } - n, err = writeWithByteTimeout(sew.group, sew.conn, sew.timeout, p) + n, err = writeWithByteTimeout(sew.conn, sew.timeout, p) *sew.err = err return n, err } @@ -650,9 +606,9 @@ func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Res backoff := float64(uint(1) << (uint(retry) - 1)) backoff += backoff * (0.1 * mathrand.Float64()) d := time.Second * time.Duration(backoff) - tm := t.newTimer(d) + tm := time.NewTimer(d) select { - case <-tm.C(): + case <-tm.C: t.vlogf("RoundTrip retrying after failure: %v", roundTripErr) continue case <-req.Context().Done(): @@ -699,6 +655,7 @@ var ( errClientConnUnusable = errors.New("http2: client conn not usable") errClientConnNotEstablished = errors.New("http2: client conn could not be established") errClientConnGotGoAway = errors.New("http2: Transport received Server's graceful shutdown GOAWAY") + errClientConnForceClosed = errors.New("http2: client connection force closed via ClientConn.Close") ) // shouldRetryRequest is called by RoundTrip when a request fails to get @@ -829,7 +786,8 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro initialWindowSize: 65535, // spec default initialStreamRecvWindowSize: conf.MaxUploadBufferPerStream, maxConcurrentStreams: initialMaxConcurrentStreams, // "infinite", per spec. Use a smaller value until we have received server settings. - peerMaxHeaderListSize: 0xffffffffffffffff, // "infinite", per spec. Use 2^64-1 instead. + strictMaxConcurrentStreams: conf.StrictMaxConcurrentRequests, + peerMaxHeaderListSize: 0xffffffffffffffff, // "infinite", per spec. Use 2^64-1 instead. streams: make(map[uint32]*clientStream), singleUse: singleUse, seenSettingsChan: make(chan struct{}), @@ -838,14 +796,11 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro pingTimeout: conf.PingTimeout, pings: make(map[[8]byte]chan struct{}), reqHeaderMu: make(chan struct{}, 1), - lastActive: t.now(), + lastActive: time.Now(), } - var group synctestGroupInterface if t.transportTestHooks != nil { - t.markNewGoroutine() t.transportTestHooks.newclientconn(cc) c = cc.tconn - group = t.group } if VerboseLogs { t.vlogf("http2: Transport creating client conn %p to %v", cc, c.RemoteAddr()) @@ -857,7 +812,6 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro // TODO: adjust this writer size to account for frame size + // MTU + crypto/tls record padding. cc.bw = bufio.NewWriter(stickyErrWriter{ - group: group, conn: c, timeout: conf.WriteByteTimeout, err: &cc.werr, @@ -906,7 +860,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro // Start the idle timer after the connection is fully initialized. if d := t.idleConnTimeout(); d != 0 { cc.idleTimeout = d - cc.idleTimer = t.afterFunc(d, cc.onIdleTimeout) + cc.idleTimer = time.AfterFunc(d, cc.onIdleTimeout) } go cc.readLoop() @@ -917,7 +871,7 @@ func (cc *ClientConn) healthCheck() { pingTimeout := cc.pingTimeout // We don't need to periodically ping in the health check, because the readLoop of ClientConn will // trigger the healthCheck again if there is no frame received. - ctx, cancel := cc.t.contextWithTimeout(context.Background(), pingTimeout) + ctx, cancel := context.WithTimeout(context.Background(), pingTimeout) defer cancel() cc.vlogf("http2: Transport sending health check") err := cc.Ping(ctx) @@ -1067,7 +1021,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) { return } var maxConcurrentOkay bool - if cc.t.StrictMaxConcurrentStreams { + if cc.strictMaxConcurrentStreams { // We'll tell the caller we can take a new request to // prevent the caller from dialing a new TCP // connection, but then we'll block later before @@ -1120,7 +1074,7 @@ func (cc *ClientConn) tooIdleLocked() bool { // times are compared based on their wall time. We don't want // to reuse a connection that's been sitting idle during // VM/laptop suspend if monotonic time was also frozen. - return cc.idleTimeout != 0 && !cc.lastIdle.IsZero() && cc.t.timeSince(cc.lastIdle.Round(0)) > cc.idleTimeout + return cc.idleTimeout != 0 && !cc.lastIdle.IsZero() && time.Since(cc.lastIdle.Round(0)) > cc.idleTimeout } // onIdleTimeout is called from a time.AfterFunc goroutine. It will @@ -1186,7 +1140,6 @@ func (cc *ClientConn) Shutdown(ctx context.Context) error { done := make(chan struct{}) cancelled := false // guarded by cc.mu go func() { - cc.t.markNewGoroutine() cc.mu.Lock() defer cc.mu.Unlock() for { @@ -1257,8 +1210,7 @@ func (cc *ClientConn) closeForError(err error) { // // In-flight requests are interrupted. For a graceful shutdown, use Shutdown instead. func (cc *ClientConn) Close() error { - err := errors.New("http2: client connection force closed via ClientConn.Close") - cc.closeForError(err) + cc.closeForError(errClientConnForceClosed) return nil } @@ -1427,7 +1379,6 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) // // It sends the request and performs post-request cleanup (closing Request.Body, etc.). func (cs *clientStream) doRequest(req *http.Request, streamf func(*clientStream)) { - cs.cc.t.markNewGoroutine() err := cs.writeRequest(req, streamf) cs.cleanupWriteRequest(err) } @@ -1558,9 +1509,9 @@ func (cs *clientStream) writeRequest(req *http.Request, streamf func(*clientStre var respHeaderTimer <-chan time.Time var respHeaderRecv chan struct{} if d := cc.responseHeaderTimeout(); d != 0 { - timer := cc.t.newTimer(d) + timer := time.NewTimer(d) defer timer.Stop() - respHeaderTimer = timer.C() + respHeaderTimer = timer.C respHeaderRecv = cs.respHeaderRecv } // Wait until the peer half-closes its end of the stream, @@ -1753,7 +1704,7 @@ func (cc *ClientConn) awaitOpenSlotForStreamLocked(cs *clientStream) error { // Return a fatal error which aborts the retry loop. return errClientConnNotEstablished } - cc.lastActive = cc.t.now() + cc.lastActive = time.Now() if cc.closed || !cc.canTakeNewRequestLocked() { return errClientConnUnusable } @@ -2092,10 +2043,10 @@ func (cc *ClientConn) forgetStreamID(id uint32) { if len(cc.streams) != slen-1 { panic("forgetting unknown stream id") } - cc.lastActive = cc.t.now() + cc.lastActive = time.Now() if len(cc.streams) == 0 && cc.idleTimer != nil { cc.idleTimer.Reset(cc.idleTimeout) - cc.lastIdle = cc.t.now() + cc.lastIdle = time.Now() } // Wake up writeRequestBody via clientStream.awaitFlowControl and // wake up RoundTrip if there is a pending request. @@ -2121,7 +2072,6 @@ type clientConnReadLoop struct { // readLoop runs in its own goroutine and reads and dispatches frames. func (cc *ClientConn) readLoop() { - cc.t.markNewGoroutine() rl := &clientConnReadLoop{cc: cc} defer rl.cleanup() cc.readerErr = rl.run() @@ -2188,9 +2138,9 @@ func (rl *clientConnReadLoop) cleanup() { if cc.idleTimeout > 0 && unusedWaitTime > cc.idleTimeout { unusedWaitTime = cc.idleTimeout } - idleTime := cc.t.now().Sub(cc.lastActive) + idleTime := time.Now().Sub(cc.lastActive) if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime && !cc.closedOnIdle { - cc.idleTimer = cc.t.afterFunc(unusedWaitTime-idleTime, func() { + cc.idleTimer = time.AfterFunc(unusedWaitTime-idleTime, func() { cc.t.connPool().MarkDead(cc) }) } else { @@ -2250,9 +2200,9 @@ func (rl *clientConnReadLoop) run() error { cc := rl.cc gotSettings := false readIdleTimeout := cc.readIdleTimeout - var t timer + var t *time.Timer if readIdleTimeout != 0 { - t = cc.t.afterFunc(readIdleTimeout, cc.healthCheck) + t = time.AfterFunc(readIdleTimeout, cc.healthCheck) } for { f, err := cc.fr.ReadFrame() @@ -2998,7 +2948,6 @@ func (cc *ClientConn) Ping(ctx context.Context) error { var pingError error errc := make(chan struct{}) go func() { - cc.t.markNewGoroutine() cc.wmu.Lock() defer cc.wmu.Unlock() if pingError = cc.fr.WritePing(false, p); pingError != nil { @@ -3128,35 +3077,102 @@ type erringRoundTripper struct{ err error } func (rt erringRoundTripper) RoundTripErr() error { return rt.err } func (rt erringRoundTripper) RoundTrip(*http.Request) (*http.Response, error) { return nil, rt.err } +var errConcurrentReadOnResBody = errors.New("http2: concurrent read on response body") + // gzipReader wraps a response body so it can lazily -// call gzip.NewReader on the first call to Read +// get gzip.Reader from the pool on the first call to Read. +// After Close is called it puts gzip.Reader to the pool immediately +// if there is no Read in progress or later when Read completes. type gzipReader struct { _ incomparable body io.ReadCloser // underlying Response.Body - zr *gzip.Reader // lazily-initialized gzip reader - zerr error // sticky error + mu sync.Mutex // guards zr and zerr + zr *gzip.Reader // stores gzip reader from the pool between reads + zerr error // sticky gzip reader init error or sentinel value to detect concurrent read and read after close } -func (gz *gzipReader) Read(p []byte) (n int, err error) { +type eofReader struct{} + +func (eofReader) Read([]byte) (int, error) { return 0, io.EOF } +func (eofReader) ReadByte() (byte, error) { return 0, io.EOF } + +var gzipPool = sync.Pool{New: func() any { return new(gzip.Reader) }} + +// gzipPoolGet gets a gzip.Reader from the pool and resets it to read from r. +func gzipPoolGet(r io.Reader) (*gzip.Reader, error) { + zr := gzipPool.Get().(*gzip.Reader) + if err := zr.Reset(r); err != nil { + gzipPoolPut(zr) + return nil, err + } + return zr, nil +} + +// gzipPoolPut puts a gzip.Reader back into the pool. +func gzipPoolPut(zr *gzip.Reader) { + // Reset will allocate bufio.Reader if we pass it anything + // other than a flate.Reader, so ensure that it's getting one. + var r flate.Reader = eofReader{} + zr.Reset(r) + gzipPool.Put(zr) +} + +// acquire returns a gzip.Reader for reading response body. +// The reader must be released after use. +func (gz *gzipReader) acquire() (*gzip.Reader, error) { + gz.mu.Lock() + defer gz.mu.Unlock() if gz.zerr != nil { - return 0, gz.zerr + return nil, gz.zerr } if gz.zr == nil { - gz.zr, err = gzip.NewReader(gz.body) - if err != nil { - gz.zerr = err - return 0, err + gz.zr, gz.zerr = gzipPoolGet(gz.body) + if gz.zerr != nil { + return nil, gz.zerr } } - return gz.zr.Read(p) + ret := gz.zr + gz.zr, gz.zerr = nil, errConcurrentReadOnResBody + return ret, nil } -func (gz *gzipReader) Close() error { - if err := gz.body.Close(); err != nil { - return err +// release returns the gzip.Reader to the pool if Close was called during Read. +func (gz *gzipReader) release(zr *gzip.Reader) { + gz.mu.Lock() + defer gz.mu.Unlock() + if gz.zerr == errConcurrentReadOnResBody { + gz.zr, gz.zerr = zr, nil + } else { // fs.ErrClosed + gzipPoolPut(zr) + } +} + +// close returns the gzip.Reader to the pool immediately or +// signals release to do so after Read completes. +func (gz *gzipReader) close() { + gz.mu.Lock() + defer gz.mu.Unlock() + if gz.zerr == nil && gz.zr != nil { + gzipPoolPut(gz.zr) + gz.zr = nil } gz.zerr = fs.ErrClosed - return nil +} + +func (gz *gzipReader) Read(p []byte) (n int, err error) { + zr, err := gz.acquire() + if err != nil { + return 0, err + } + defer gz.release(zr) + + return zr.Read(p) +} + +func (gz *gzipReader) Close() error { + gz.close() + + return gz.body.Close() } type errorReader struct{ err error } @@ -3228,7 +3244,7 @@ func traceGotConn(req *http.Request, cc *ClientConn, reused bool) { cc.mu.Lock() ci.WasIdle = len(cc.streams) == 0 && reused if ci.WasIdle && !cc.lastActive.IsZero() { - ci.IdleTime = cc.t.timeSince(cc.lastActive) + ci.IdleTime = time.Since(cc.lastActive) } cc.mu.Unlock() diff --git a/vendor/golang.org/x/net/http2/writesched.go b/vendor/golang.org/x/net/http2/writesched.go index cc893adc29..7de27be525 100644 --- a/vendor/golang.org/x/net/http2/writesched.go +++ b/vendor/golang.org/x/net/http2/writesched.go @@ -42,6 +42,8 @@ type OpenStreamOptions struct { // PusherID is zero if the stream was initiated by the client. Otherwise, // PusherID names the stream that pushed the newly opened stream. PusherID uint32 + // priority is used to set the priority of the newly opened stream. + priority PriorityParam } // FrameWriteRequest is a request to write a frame. @@ -183,45 +185,75 @@ func (wr *FrameWriteRequest) replyToWriter(err error) { } // writeQueue is used by implementations of WriteScheduler. +// +// Each writeQueue contains a queue of FrameWriteRequests, meant to store all +// FrameWriteRequests associated with a given stream. This is implemented as a +// two-stage queue: currQueue[currPos:] and nextQueue. Removing an item is done +// by incrementing currPos of currQueue. Adding an item is done by appending it +// to the nextQueue. If currQueue is empty when trying to remove an item, we +// can swap currQueue and nextQueue to remedy the situation. +// This two-stage queue is analogous to the use of two lists in Okasaki's +// purely functional queue but without the overhead of reversing the list when +// swapping stages. +// +// writeQueue also contains prev and next, this can be used by implementations +// of WriteScheduler to construct data structures that represent the order of +// writing between different streams (e.g. circular linked list). type writeQueue struct { - s []FrameWriteRequest + currQueue []FrameWriteRequest + nextQueue []FrameWriteRequest + currPos int + prev, next *writeQueue } -func (q *writeQueue) empty() bool { return len(q.s) == 0 } +func (q *writeQueue) empty() bool { + return (len(q.currQueue) - q.currPos + len(q.nextQueue)) == 0 +} func (q *writeQueue) push(wr FrameWriteRequest) { - q.s = append(q.s, wr) + q.nextQueue = append(q.nextQueue, wr) } func (q *writeQueue) shift() FrameWriteRequest { - if len(q.s) == 0 { + if q.empty() { panic("invalid use of queue") } - wr := q.s[0] - // TODO: less copy-happy queue. - copy(q.s, q.s[1:]) - q.s[len(q.s)-1] = FrameWriteRequest{} - q.s = q.s[:len(q.s)-1] + if q.currPos >= len(q.currQueue) { + q.currQueue, q.currPos, q.nextQueue = q.nextQueue, 0, q.currQueue[:0] + } + wr := q.currQueue[q.currPos] + q.currQueue[q.currPos] = FrameWriteRequest{} + q.currPos++ return wr } +func (q *writeQueue) peek() *FrameWriteRequest { + if q.currPos < len(q.currQueue) { + return &q.currQueue[q.currPos] + } + if len(q.nextQueue) > 0 { + return &q.nextQueue[0] + } + return nil +} + // consume consumes up to n bytes from q.s[0]. If the frame is // entirely consumed, it is removed from the queue. If the frame // is partially consumed, the frame is kept with the consumed // bytes removed. Returns true iff any bytes were consumed. func (q *writeQueue) consume(n int32) (FrameWriteRequest, bool) { - if len(q.s) == 0 { + if q.empty() { return FrameWriteRequest{}, false } - consumed, rest, numresult := q.s[0].Consume(n) + consumed, rest, numresult := q.peek().Consume(n) switch numresult { case 0: return FrameWriteRequest{}, false case 1: q.shift() case 2: - q.s[0] = rest + *q.peek() = rest } return consumed, true } @@ -230,10 +262,15 @@ type writeQueuePool []*writeQueue // put inserts an unused writeQueue into the pool. func (p *writeQueuePool) put(q *writeQueue) { - for i := range q.s { - q.s[i] = FrameWriteRequest{} + for i := range q.currQueue { + q.currQueue[i] = FrameWriteRequest{} + } + for i := range q.nextQueue { + q.nextQueue[i] = FrameWriteRequest{} } - q.s = q.s[:0] + q.currQueue = q.currQueue[:0] + q.nextQueue = q.nextQueue[:0] + q.currPos = 0 *p = append(*p, q) } diff --git a/vendor/golang.org/x/net/http2/writesched_priority.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go similarity index 77% rename from vendor/golang.org/x/net/http2/writesched_priority.go rename to vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go index f6783339d1..4e33c29a24 100644 --- a/vendor/golang.org/x/net/http2/writesched_priority.go +++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go @@ -11,7 +11,7 @@ import ( ) // RFC 7540, Section 5.3.5: the default weight is 16. -const priorityDefaultWeight = 15 // 16 = 15 + 1 +const priorityDefaultWeightRFC7540 = 15 // 16 = 15 + 1 // PriorityWriteSchedulerConfig configures a priorityWriteScheduler. type PriorityWriteSchedulerConfig struct { @@ -66,8 +66,8 @@ func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler } } - ws := &priorityWriteScheduler{ - nodes: make(map[uint32]*priorityNode), + ws := &priorityWriteSchedulerRFC7540{ + nodes: make(map[uint32]*priorityNodeRFC7540), maxClosedNodesInTree: cfg.MaxClosedNodesInTree, maxIdleNodesInTree: cfg.MaxIdleNodesInTree, enableWriteThrottle: cfg.ThrottleOutOfOrderWrites, @@ -81,32 +81,32 @@ func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler return ws } -type priorityNodeState int +type priorityNodeStateRFC7540 int const ( - priorityNodeOpen priorityNodeState = iota - priorityNodeClosed - priorityNodeIdle + priorityNodeOpenRFC7540 priorityNodeStateRFC7540 = iota + priorityNodeClosedRFC7540 + priorityNodeIdleRFC7540 ) -// priorityNode is a node in an HTTP/2 priority tree. +// priorityNodeRFC7540 is a node in an HTTP/2 priority tree. // Each node is associated with a single stream ID. // See RFC 7540, Section 5.3. -type priorityNode struct { - q writeQueue // queue of pending frames to write - id uint32 // id of the stream, or 0 for the root of the tree - weight uint8 // the actual weight is weight+1, so the value is in [1,256] - state priorityNodeState // open | closed | idle - bytes int64 // number of bytes written by this node, or 0 if closed - subtreeBytes int64 // sum(node.bytes) of all nodes in this subtree +type priorityNodeRFC7540 struct { + q writeQueue // queue of pending frames to write + id uint32 // id of the stream, or 0 for the root of the tree + weight uint8 // the actual weight is weight+1, so the value is in [1,256] + state priorityNodeStateRFC7540 // open | closed | idle + bytes int64 // number of bytes written by this node, or 0 if closed + subtreeBytes int64 // sum(node.bytes) of all nodes in this subtree // These links form the priority tree. - parent *priorityNode - kids *priorityNode // start of the kids list - prev, next *priorityNode // doubly-linked list of siblings + parent *priorityNodeRFC7540 + kids *priorityNodeRFC7540 // start of the kids list + prev, next *priorityNodeRFC7540 // doubly-linked list of siblings } -func (n *priorityNode) setParent(parent *priorityNode) { +func (n *priorityNodeRFC7540) setParent(parent *priorityNodeRFC7540) { if n == parent { panic("setParent to self") } @@ -141,7 +141,7 @@ func (n *priorityNode) setParent(parent *priorityNode) { } } -func (n *priorityNode) addBytes(b int64) { +func (n *priorityNodeRFC7540) addBytes(b int64) { n.bytes += b for ; n != nil; n = n.parent { n.subtreeBytes += b @@ -154,7 +154,7 @@ func (n *priorityNode) addBytes(b int64) { // // f(n, openParent) takes two arguments: the node to visit, n, and a bool that is true // if any ancestor p of n is still open (ignoring the root node). -func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f func(*priorityNode, bool) bool) bool { +func (n *priorityNodeRFC7540) walkReadyInOrder(openParent bool, tmp *[]*priorityNodeRFC7540, f func(*priorityNodeRFC7540, bool) bool) bool { if !n.q.empty() && f(n, openParent) { return true } @@ -165,7 +165,7 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f // Don't consider the root "open" when updating openParent since // we can't send data frames on the root stream (only control frames). if n.id != 0 { - openParent = openParent || (n.state == priorityNodeOpen) + openParent = openParent || (n.state == priorityNodeOpenRFC7540) } // Common case: only one kid or all kids have the same weight. @@ -195,7 +195,7 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f *tmp = append(*tmp, n.kids) n.kids.setParent(nil) } - sort.Sort(sortPriorityNodeSiblings(*tmp)) + sort.Sort(sortPriorityNodeSiblingsRFC7540(*tmp)) for i := len(*tmp) - 1; i >= 0; i-- { (*tmp)[i].setParent(n) // setParent inserts at the head of n.kids } @@ -207,15 +207,15 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f return false } -type sortPriorityNodeSiblings []*priorityNode +type sortPriorityNodeSiblingsRFC7540 []*priorityNodeRFC7540 -func (z sortPriorityNodeSiblings) Len() int { return len(z) } -func (z sortPriorityNodeSiblings) Swap(i, k int) { z[i], z[k] = z[k], z[i] } -func (z sortPriorityNodeSiblings) Less(i, k int) bool { +func (z sortPriorityNodeSiblingsRFC7540) Len() int { return len(z) } +func (z sortPriorityNodeSiblingsRFC7540) Swap(i, k int) { z[i], z[k] = z[k], z[i] } +func (z sortPriorityNodeSiblingsRFC7540) Less(i, k int) bool { // Prefer the subtree that has sent fewer bytes relative to its weight. // See sections 5.3.2 and 5.3.4. - wi, bi := float64(z[i].weight+1), float64(z[i].subtreeBytes) - wk, bk := float64(z[k].weight+1), float64(z[k].subtreeBytes) + wi, bi := float64(z[i].weight)+1, float64(z[i].subtreeBytes) + wk, bk := float64(z[k].weight)+1, float64(z[k].subtreeBytes) if bi == 0 && bk == 0 { return wi >= wk } @@ -225,13 +225,13 @@ func (z sortPriorityNodeSiblings) Less(i, k int) bool { return bi/bk <= wi/wk } -type priorityWriteScheduler struct { +type priorityWriteSchedulerRFC7540 struct { // root is the root of the priority tree, where root.id = 0. // The root queues control frames that are not associated with any stream. - root priorityNode + root priorityNodeRFC7540 // nodes maps stream ids to priority tree nodes. - nodes map[uint32]*priorityNode + nodes map[uint32]*priorityNodeRFC7540 // maxID is the maximum stream id in nodes. maxID uint32 @@ -239,7 +239,7 @@ type priorityWriteScheduler struct { // lists of nodes that have been closed or are idle, but are kept in // the tree for improved prioritization. When the lengths exceed either // maxClosedNodesInTree or maxIdleNodesInTree, old nodes are discarded. - closedNodes, idleNodes []*priorityNode + closedNodes, idleNodes []*priorityNodeRFC7540 // From the config. maxClosedNodesInTree int @@ -248,19 +248,19 @@ type priorityWriteScheduler struct { enableWriteThrottle bool // tmp is scratch space for priorityNode.walkReadyInOrder to reduce allocations. - tmp []*priorityNode + tmp []*priorityNodeRFC7540 // pool of empty queues for reuse. queuePool writeQueuePool } -func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) { +func (ws *priorityWriteSchedulerRFC7540) OpenStream(streamID uint32, options OpenStreamOptions) { // The stream may be currently idle but cannot be opened or closed. if curr := ws.nodes[streamID]; curr != nil { - if curr.state != priorityNodeIdle { + if curr.state != priorityNodeIdleRFC7540 { panic(fmt.Sprintf("stream %d already opened", streamID)) } - curr.state = priorityNodeOpen + curr.state = priorityNodeOpenRFC7540 return } @@ -272,11 +272,11 @@ func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStream if parent == nil { parent = &ws.root } - n := &priorityNode{ + n := &priorityNodeRFC7540{ q: *ws.queuePool.get(), id: streamID, - weight: priorityDefaultWeight, - state: priorityNodeOpen, + weight: priorityDefaultWeightRFC7540, + state: priorityNodeOpenRFC7540, } n.setParent(parent) ws.nodes[streamID] = n @@ -285,24 +285,23 @@ func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStream } } -func (ws *priorityWriteScheduler) CloseStream(streamID uint32) { +func (ws *priorityWriteSchedulerRFC7540) CloseStream(streamID uint32) { if streamID == 0 { panic("violation of WriteScheduler interface: cannot close stream 0") } if ws.nodes[streamID] == nil { panic(fmt.Sprintf("violation of WriteScheduler interface: unknown stream %d", streamID)) } - if ws.nodes[streamID].state != priorityNodeOpen { + if ws.nodes[streamID].state != priorityNodeOpenRFC7540 { panic(fmt.Sprintf("violation of WriteScheduler interface: stream %d already closed", streamID)) } n := ws.nodes[streamID] - n.state = priorityNodeClosed + n.state = priorityNodeClosedRFC7540 n.addBytes(-n.bytes) q := n.q ws.queuePool.put(&q) - n.q.s = nil if ws.maxClosedNodesInTree > 0 { ws.addClosedOrIdleNode(&ws.closedNodes, ws.maxClosedNodesInTree, n) } else { @@ -310,7 +309,7 @@ func (ws *priorityWriteScheduler) CloseStream(streamID uint32) { } } -func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam) { +func (ws *priorityWriteSchedulerRFC7540) AdjustStream(streamID uint32, priority PriorityParam) { if streamID == 0 { panic("adjustPriority on root") } @@ -324,11 +323,11 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit return } ws.maxID = streamID - n = &priorityNode{ + n = &priorityNodeRFC7540{ q: *ws.queuePool.get(), id: streamID, - weight: priorityDefaultWeight, - state: priorityNodeIdle, + weight: priorityDefaultWeightRFC7540, + state: priorityNodeIdleRFC7540, } n.setParent(&ws.root) ws.nodes[streamID] = n @@ -340,7 +339,7 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit parent := ws.nodes[priority.StreamDep] if parent == nil { n.setParent(&ws.root) - n.weight = priorityDefaultWeight + n.weight = priorityDefaultWeightRFC7540 return } @@ -381,8 +380,8 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit n.weight = priority.Weight } -func (ws *priorityWriteScheduler) Push(wr FrameWriteRequest) { - var n *priorityNode +func (ws *priorityWriteSchedulerRFC7540) Push(wr FrameWriteRequest) { + var n *priorityNodeRFC7540 if wr.isControl() { n = &ws.root } else { @@ -401,8 +400,8 @@ func (ws *priorityWriteScheduler) Push(wr FrameWriteRequest) { n.q.push(wr) } -func (ws *priorityWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) { - ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNode, openParent bool) bool { +func (ws *priorityWriteSchedulerRFC7540) Pop() (wr FrameWriteRequest, ok bool) { + ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNodeRFC7540, openParent bool) bool { limit := int32(math.MaxInt32) if openParent { limit = ws.writeThrottleLimit @@ -428,7 +427,7 @@ func (ws *priorityWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) { return wr, ok } -func (ws *priorityWriteScheduler) addClosedOrIdleNode(list *[]*priorityNode, maxSize int, n *priorityNode) { +func (ws *priorityWriteSchedulerRFC7540) addClosedOrIdleNode(list *[]*priorityNodeRFC7540, maxSize int, n *priorityNodeRFC7540) { if maxSize == 0 { return } @@ -442,7 +441,7 @@ func (ws *priorityWriteScheduler) addClosedOrIdleNode(list *[]*priorityNode, max *list = append(*list, n) } -func (ws *priorityWriteScheduler) removeNode(n *priorityNode) { +func (ws *priorityWriteSchedulerRFC7540) removeNode(n *priorityNodeRFC7540) { for n.kids != nil { n.kids.setParent(n.parent) } diff --git a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go new file mode 100644 index 0000000000..cb4cadc32d --- /dev/null +++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go @@ -0,0 +1,209 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package http2 + +import ( + "fmt" + "math" +) + +type streamMetadata struct { + location *writeQueue + priority PriorityParam +} + +type priorityWriteSchedulerRFC9218 struct { + // control contains control frames (SETTINGS, PING, etc.). + control writeQueue + + // heads contain the head of a circular list of streams. + // We put these heads within a nested array that represents urgency and + // incremental, as defined in + // https://www.rfc-editor.org/rfc/rfc9218.html#name-priority-parameters. + // 8 represents u=0 up to u=7, and 2 represents i=false and i=true. + heads [8][2]*writeQueue + + // streams contains a mapping between each stream ID and their metadata, so + // we can quickly locate them when needing to, for example, adjust their + // priority. + streams map[uint32]streamMetadata + + // queuePool are empty queues for reuse. + queuePool writeQueuePool + + // prioritizeIncremental is used to determine whether we should prioritize + // incremental streams or not, when urgency is the same in a given Pop() + // call. + prioritizeIncremental bool +} + +func newPriorityWriteSchedulerRFC9218() WriteScheduler { + ws := &priorityWriteSchedulerRFC9218{ + streams: make(map[uint32]streamMetadata), + } + return ws +} + +func (ws *priorityWriteSchedulerRFC9218) OpenStream(streamID uint32, opt OpenStreamOptions) { + if ws.streams[streamID].location != nil { + panic(fmt.Errorf("stream %d already opened", streamID)) + } + q := ws.queuePool.get() + ws.streams[streamID] = streamMetadata{ + location: q, + priority: opt.priority, + } + + u, i := opt.priority.urgency, opt.priority.incremental + if ws.heads[u][i] == nil { + ws.heads[u][i] = q + q.next = q + q.prev = q + } else { + // Queues are stored in a ring. + // Insert the new stream before ws.head, putting it at the end of the list. + q.prev = ws.heads[u][i].prev + q.next = ws.heads[u][i] + q.prev.next = q + q.next.prev = q + } +} + +func (ws *priorityWriteSchedulerRFC9218) CloseStream(streamID uint32) { + metadata := ws.streams[streamID] + q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental + if q == nil { + return + } + if q.next == q { + // This was the only open stream. + ws.heads[u][i] = nil + } else { + q.prev.next = q.next + q.next.prev = q.prev + if ws.heads[u][i] == q { + ws.heads[u][i] = q.next + } + } + delete(ws.streams, streamID) + ws.queuePool.put(q) +} + +func (ws *priorityWriteSchedulerRFC9218) AdjustStream(streamID uint32, priority PriorityParam) { + metadata := ws.streams[streamID] + q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental + if q == nil { + return + } + + // Remove stream from current location. + if q.next == q { + // This was the only open stream. + ws.heads[u][i] = nil + } else { + q.prev.next = q.next + q.next.prev = q.prev + if ws.heads[u][i] == q { + ws.heads[u][i] = q.next + } + } + + // Insert stream to the new queue. + u, i = priority.urgency, priority.incremental + if ws.heads[u][i] == nil { + ws.heads[u][i] = q + q.next = q + q.prev = q + } else { + // Queues are stored in a ring. + // Insert the new stream before ws.head, putting it at the end of the list. + q.prev = ws.heads[u][i].prev + q.next = ws.heads[u][i] + q.prev.next = q + q.next.prev = q + } + + // Update the metadata. + ws.streams[streamID] = streamMetadata{ + location: q, + priority: priority, + } +} + +func (ws *priorityWriteSchedulerRFC9218) Push(wr FrameWriteRequest) { + if wr.isControl() { + ws.control.push(wr) + return + } + q := ws.streams[wr.StreamID()].location + if q == nil { + // This is a closed stream. + // wr should not be a HEADERS or DATA frame. + // We push the request onto the control queue. + if wr.DataSize() > 0 { + panic("add DATA on non-open stream") + } + ws.control.push(wr) + return + } + q.push(wr) +} + +func (ws *priorityWriteSchedulerRFC9218) Pop() (FrameWriteRequest, bool) { + // Control and RST_STREAM frames first. + if !ws.control.empty() { + return ws.control.shift(), true + } + + // On the next Pop(), we want to prioritize incremental if we prioritized + // non-incremental request of the same urgency this time. Vice-versa. + // i.e. when there are incremental and non-incremental requests at the same + // priority, we give 50% of our bandwidth to the incremental ones in + // aggregate and 50% to the first non-incremental one (since + // non-incremental streams do not use round-robin writes). + ws.prioritizeIncremental = !ws.prioritizeIncremental + + // Always prioritize lowest u (i.e. highest urgency level). + for u := range ws.heads { + for i := range ws.heads[u] { + // When we want to prioritize incremental, we try to pop i=true + // first before i=false when u is the same. + if ws.prioritizeIncremental { + i = (i + 1) % 2 + } + q := ws.heads[u][i] + if q == nil { + continue + } + for { + if wr, ok := q.consume(math.MaxInt32); ok { + if i == 1 { + // For incremental streams, we update head to q.next so + // we can round-robin between multiple streams that can + // immediately benefit from partial writes. + ws.heads[u][i] = q.next + } else { + // For non-incremental streams, we try to finish one to + // completion rather than doing round-robin. However, + // we update head here so that if q.consume() is !ok + // (e.g. the stream has no more frame to consume), head + // is updated to the next q that has frames to consume + // on future iterations. This way, we do not prioritize + // writing to unavailable stream on next Pop() calls, + // preventing head-of-line blocking. + ws.heads[u][i] = q + } + return wr, true + } + q = q.next + if q == ws.heads[u][i] { + break + } + } + + } + } + return FrameWriteRequest{}, false +} diff --git a/vendor/golang.org/x/net/http2/writesched_roundrobin.go b/vendor/golang.org/x/net/http2/writesched_roundrobin.go index 54fe86322d..737cff9ecb 100644 --- a/vendor/golang.org/x/net/http2/writesched_roundrobin.go +++ b/vendor/golang.org/x/net/http2/writesched_roundrobin.go @@ -25,7 +25,7 @@ type roundRobinWriteScheduler struct { } // newRoundRobinWriteScheduler constructs a new write scheduler. -// The round robin scheduler priorizes control frames +// The round robin scheduler prioritizes control frames // like SETTINGS and PING over DATA frames. // When there are no control frames to send, it performs a round-robin // selection from the ready streams. diff --git a/vendor/golang.org/x/net/internal/httpcommon/request.go b/vendor/golang.org/x/net/internal/httpcommon/request.go index 4b70553179..1e10f89ebf 100644 --- a/vendor/golang.org/x/net/internal/httpcommon/request.go +++ b/vendor/golang.org/x/net/internal/httpcommon/request.go @@ -51,7 +51,7 @@ type EncodeHeadersParam struct { DefaultUserAgent string } -// EncodeHeadersParam is the result of EncodeHeaders. +// EncodeHeadersResult is the result of EncodeHeaders. type EncodeHeadersResult struct { HasBody bool HasTrailers bool @@ -399,7 +399,7 @@ type ServerRequestResult struct { // If the request should be rejected, this is a short string suitable for passing // to the http2 package's CountError function. - // It might be a bit odd to return errors this way rather than returing an error, + // It might be a bit odd to return errors this way rather than returning an error, // but this ensures we don't forget to include a CountError reason. InvalidReason string } diff --git a/vendor/golang.org/x/sys/unix/affinity_linux.go b/vendor/golang.org/x/sys/unix/affinity_linux.go index 3c7a6d6e2f..3ea470387b 100644 --- a/vendor/golang.org/x/sys/unix/affinity_linux.go +++ b/vendor/golang.org/x/sys/unix/affinity_linux.go @@ -41,6 +41,15 @@ func (s *CPUSet) Zero() { clear(s[:]) } +// Fill adds all possible CPU bits to the set s. On Linux, [SchedSetaffinity] +// will silently ignore any invalid CPU bits in [CPUSet] so this is an +// efficient way of resetting the CPU affinity of a process. +func (s *CPUSet) Fill() { + for i := range s { + s[i] = ^cpuMask(0) + } +} + func cpuBitsIndex(cpu int) int { return cpu / _NCPUBITS } diff --git a/vendor/golang.org/x/sys/unix/fdset.go b/vendor/golang.org/x/sys/unix/fdset.go index 9e83d18cd0..62ed12645f 100644 --- a/vendor/golang.org/x/sys/unix/fdset.go +++ b/vendor/golang.org/x/sys/unix/fdset.go @@ -23,7 +23,5 @@ func (fds *FdSet) IsSet(fd int) bool { // Zero clears the set fds. func (fds *FdSet) Zero() { - for i := range fds.Bits { - fds.Bits[i] = 0 - } + clear(fds.Bits[:]) } diff --git a/vendor/golang.org/x/sys/unix/ifreq_linux.go b/vendor/golang.org/x/sys/unix/ifreq_linux.go index 848840ae4c..309f5a2b0c 100644 --- a/vendor/golang.org/x/sys/unix/ifreq_linux.go +++ b/vendor/golang.org/x/sys/unix/ifreq_linux.go @@ -111,9 +111,7 @@ func (ifr *Ifreq) SetUint32(v uint32) { // clear zeroes the ifreq's union field to prevent trailing garbage data from // being sent to the kernel if an ifreq is reused. func (ifr *Ifreq) clear() { - for i := range ifr.raw.Ifru { - ifr.raw.Ifru[i] = 0 - } + clear(ifr.raw.Ifru[:]) } // TODO(mdlayher): export as IfreqData? For now we can provide helpers such as diff --git a/vendor/golang.org/x/sys/unix/mkall.sh b/vendor/golang.org/x/sys/unix/mkall.sh index e6f31d374d..d0ed611912 100644 --- a/vendor/golang.org/x/sys/unix/mkall.sh +++ b/vendor/golang.org/x/sys/unix/mkall.sh @@ -49,6 +49,7 @@ esac if [[ "$GOOS" = "linux" ]]; then # Use the Docker-based build system # Files generated through docker (use $cmd so you can Ctl-C the build or run) + set -e $cmd docker build --tag generate:$GOOS $GOOS $cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS exit diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh index d1c8b2640e..42517077c4 100644 --- a/vendor/golang.org/x/sys/unix/mkerrors.sh +++ b/vendor/golang.org/x/sys/unix/mkerrors.sh @@ -226,6 +226,7 @@ struct ltchars { #include #include #include +#include #include #include #include @@ -529,6 +530,7 @@ ccflags="$@" $2 ~ /^O[CNPFPL][A-Z]+[^_][A-Z]+$/ || $2 ~ /^(NL|CR|TAB|BS|VT|FF)DLY$/ || $2 ~ /^(NL|CR|TAB|BS|VT|FF)[0-9]$/ || + $2 ~ /^(DT|EI|ELF|EV|NN|NT|PF|SHF|SHN|SHT|STB|STT|VER)_/ || $2 ~ /^O?XTABS$/ || $2 ~ /^TC[IO](ON|OFF)$/ || $2 ~ /^IN_/ || diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go index 4958a65708..06c0eea6fb 100644 --- a/vendor/golang.org/x/sys/unix/syscall_linux.go +++ b/vendor/golang.org/x/sys/unix/syscall_linux.go @@ -801,9 +801,7 @@ func (sa *SockaddrPPPoE) sockaddr() (unsafe.Pointer, _Socklen, error) { // one. The kernel expects SID to be in network byte order. binary.BigEndian.PutUint16(sa.raw[6:8], sa.SID) copy(sa.raw[8:14], sa.Remote) - for i := 14; i < 14+IFNAMSIZ; i++ { - sa.raw[i] = 0 - } + clear(sa.raw[14 : 14+IFNAMSIZ]) copy(sa.raw[14:], sa.Dev) return unsafe.Pointer(&sa.raw), SizeofSockaddrPPPoX, nil } @@ -2645,3 +2643,9 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) { //sys Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error) //sys Mseal(b []byte, flags uint) (err error) + +//sys setMemPolicy(mode int, mask *CPUSet, size int) (err error) = SYS_SET_MEMPOLICY + +func SetMemPolicy(mode int, mask *CPUSet) error { + return setMemPolicy(mode, mask, _CPU_SETSIZE) +} diff --git a/vendor/golang.org/x/sys/unix/syscall_netbsd.go b/vendor/golang.org/x/sys/unix/syscall_netbsd.go index 88162099af..34a4676973 100644 --- a/vendor/golang.org/x/sys/unix/syscall_netbsd.go +++ b/vendor/golang.org/x/sys/unix/syscall_netbsd.go @@ -248,6 +248,23 @@ func Statvfs(path string, buf *Statvfs_t) (err error) { return Statvfs1(path, buf, ST_WAIT) } +func Getvfsstat(buf []Statvfs_t, flags int) (n int, err error) { + var ( + _p0 unsafe.Pointer + bufsize uintptr + ) + if len(buf) > 0 { + _p0 = unsafe.Pointer(&buf[0]) + bufsize = unsafe.Sizeof(Statvfs_t{}) * uintptr(len(buf)) + } + r0, _, e1 := Syscall(SYS_GETVFSSTAT, uintptr(_p0), bufsize, uintptr(flags)) + n = int(r0) + if e1 != 0 { + err = e1 + } + return +} + /* * Exposed directly */ diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go index b6db27d937..d0a75da572 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go @@ -853,20 +853,86 @@ const ( DM_VERSION_MAJOR = 0x4 DM_VERSION_MINOR = 0x32 DM_VERSION_PATCHLEVEL = 0x0 + DT_ADDRRNGHI = 0x6ffffeff + DT_ADDRRNGLO = 0x6ffffe00 DT_BLK = 0x6 DT_CHR = 0x2 + DT_DEBUG = 0x15 DT_DIR = 0x4 + DT_ENCODING = 0x20 DT_FIFO = 0x1 + DT_FINI = 0xd + DT_FLAGS_1 = 0x6ffffffb + DT_GNU_HASH = 0x6ffffef5 + DT_HASH = 0x4 + DT_HIOS = 0x6ffff000 + DT_HIPROC = 0x7fffffff + DT_INIT = 0xc + DT_JMPREL = 0x17 DT_LNK = 0xa + DT_LOOS = 0x6000000d + DT_LOPROC = 0x70000000 + DT_NEEDED = 0x1 + DT_NULL = 0x0 + DT_PLTGOT = 0x3 + DT_PLTREL = 0x14 + DT_PLTRELSZ = 0x2 DT_REG = 0x8 + DT_REL = 0x11 + DT_RELA = 0x7 + DT_RELACOUNT = 0x6ffffff9 + DT_RELAENT = 0x9 + DT_RELASZ = 0x8 + DT_RELCOUNT = 0x6ffffffa + DT_RELENT = 0x13 + DT_RELSZ = 0x12 + DT_RPATH = 0xf DT_SOCK = 0xc + DT_SONAME = 0xe + DT_STRSZ = 0xa + DT_STRTAB = 0x5 + DT_SYMBOLIC = 0x10 + DT_SYMENT = 0xb + DT_SYMTAB = 0x6 + DT_TEXTREL = 0x16 DT_UNKNOWN = 0x0 + DT_VALRNGHI = 0x6ffffdff + DT_VALRNGLO = 0x6ffffd00 + DT_VERDEF = 0x6ffffffc + DT_VERDEFNUM = 0x6ffffffd + DT_VERNEED = 0x6ffffffe + DT_VERNEEDNUM = 0x6fffffff + DT_VERSYM = 0x6ffffff0 DT_WHT = 0xe ECHO = 0x8 ECRYPTFS_SUPER_MAGIC = 0xf15f EFD_SEMAPHORE = 0x1 EFIVARFS_MAGIC = 0xde5e81e4 EFS_SUPER_MAGIC = 0x414a53 + EI_CLASS = 0x4 + EI_DATA = 0x5 + EI_MAG0 = 0x0 + EI_MAG1 = 0x1 + EI_MAG2 = 0x2 + EI_MAG3 = 0x3 + EI_NIDENT = 0x10 + EI_OSABI = 0x7 + EI_PAD = 0x8 + EI_VERSION = 0x6 + ELFCLASS32 = 0x1 + ELFCLASS64 = 0x2 + ELFCLASSNONE = 0x0 + ELFCLASSNUM = 0x3 + ELFDATA2LSB = 0x1 + ELFDATA2MSB = 0x2 + ELFDATANONE = 0x0 + ELFMAG = "\177ELF" + ELFMAG0 = 0x7f + ELFMAG1 = 'E' + ELFMAG2 = 'L' + ELFMAG3 = 'F' + ELFOSABI_LINUX = 0x3 + ELFOSABI_NONE = 0x0 EM_386 = 0x3 EM_486 = 0x6 EM_68K = 0x4 @@ -1152,14 +1218,24 @@ const ( ETH_P_WCCP = 0x883e ETH_P_X25 = 0x805 ETH_P_XDSA = 0xf8 + ET_CORE = 0x4 + ET_DYN = 0x3 + ET_EXEC = 0x2 + ET_HIPROC = 0xffff + ET_LOPROC = 0xff00 + ET_NONE = 0x0 + ET_REL = 0x1 EV_ABS = 0x3 EV_CNT = 0x20 + EV_CURRENT = 0x1 EV_FF = 0x15 EV_FF_STATUS = 0x17 EV_KEY = 0x1 EV_LED = 0x11 EV_MAX = 0x1f EV_MSC = 0x4 + EV_NONE = 0x0 + EV_NUM = 0x2 EV_PWR = 0x16 EV_REL = 0x2 EV_REP = 0x14 @@ -2276,7 +2352,167 @@ const ( NLM_F_REPLACE = 0x100 NLM_F_REQUEST = 0x1 NLM_F_ROOT = 0x100 + NN_386_IOPERM = "LINUX" + NN_386_TLS = "LINUX" + NN_ARC_V2 = "LINUX" + NN_ARM_FPMR = "LINUX" + NN_ARM_GCS = "LINUX" + NN_ARM_HW_BREAK = "LINUX" + NN_ARM_HW_WATCH = "LINUX" + NN_ARM_PACA_KEYS = "LINUX" + NN_ARM_PACG_KEYS = "LINUX" + NN_ARM_PAC_ENABLED_KEYS = "LINUX" + NN_ARM_PAC_MASK = "LINUX" + NN_ARM_POE = "LINUX" + NN_ARM_SSVE = "LINUX" + NN_ARM_SVE = "LINUX" + NN_ARM_SYSTEM_CALL = "LINUX" + NN_ARM_TAGGED_ADDR_CTRL = "LINUX" + NN_ARM_TLS = "LINUX" + NN_ARM_VFP = "LINUX" + NN_ARM_ZA = "LINUX" + NN_ARM_ZT = "LINUX" + NN_AUXV = "CORE" + NN_FILE = "CORE" + NN_GNU_PROPERTY_TYPE_0 = "GNU" + NN_LOONGARCH_CPUCFG = "LINUX" + NN_LOONGARCH_CSR = "LINUX" + NN_LOONGARCH_HW_BREAK = "LINUX" + NN_LOONGARCH_HW_WATCH = "LINUX" + NN_LOONGARCH_LASX = "LINUX" + NN_LOONGARCH_LBT = "LINUX" + NN_LOONGARCH_LSX = "LINUX" + NN_MIPS_DSP = "LINUX" + NN_MIPS_FP_MODE = "LINUX" + NN_MIPS_MSA = "LINUX" + NN_PPC_DEXCR = "LINUX" + NN_PPC_DSCR = "LINUX" + NN_PPC_EBB = "LINUX" + NN_PPC_HASHKEYR = "LINUX" + NN_PPC_PKEY = "LINUX" + NN_PPC_PMU = "LINUX" + NN_PPC_PPR = "LINUX" + NN_PPC_SPE = "LINUX" + NN_PPC_TAR = "LINUX" + NN_PPC_TM_CDSCR = "LINUX" + NN_PPC_TM_CFPR = "LINUX" + NN_PPC_TM_CGPR = "LINUX" + NN_PPC_TM_CPPR = "LINUX" + NN_PPC_TM_CTAR = "LINUX" + NN_PPC_TM_CVMX = "LINUX" + NN_PPC_TM_CVSX = "LINUX" + NN_PPC_TM_SPR = "LINUX" + NN_PPC_VMX = "LINUX" + NN_PPC_VSX = "LINUX" + NN_PRFPREG = "CORE" + NN_PRPSINFO = "CORE" + NN_PRSTATUS = "CORE" + NN_PRXFPREG = "LINUX" + NN_RISCV_CSR = "LINUX" + NN_RISCV_TAGGED_ADDR_CTRL = "LINUX" + NN_RISCV_VECTOR = "LINUX" + NN_S390_CTRS = "LINUX" + NN_S390_GS_BC = "LINUX" + NN_S390_GS_CB = "LINUX" + NN_S390_HIGH_GPRS = "LINUX" + NN_S390_LAST_BREAK = "LINUX" + NN_S390_PREFIX = "LINUX" + NN_S390_PV_CPU_DATA = "LINUX" + NN_S390_RI_CB = "LINUX" + NN_S390_SYSTEM_CALL = "LINUX" + NN_S390_TDB = "LINUX" + NN_S390_TIMER = "LINUX" + NN_S390_TODCMP = "LINUX" + NN_S390_TODPREG = "LINUX" + NN_S390_VXRS_HIGH = "LINUX" + NN_S390_VXRS_LOW = "LINUX" + NN_SIGINFO = "CORE" + NN_TASKSTRUCT = "CORE" + NN_VMCOREDD = "LINUX" + NN_X86_SHSTK = "LINUX" + NN_X86_XSAVE_LAYOUT = "LINUX" + NN_X86_XSTATE = "LINUX" NSFS_MAGIC = 0x6e736673 + NT_386_IOPERM = 0x201 + NT_386_TLS = 0x200 + NT_ARC_V2 = 0x600 + NT_ARM_FPMR = 0x40e + NT_ARM_GCS = 0x410 + NT_ARM_HW_BREAK = 0x402 + NT_ARM_HW_WATCH = 0x403 + NT_ARM_PACA_KEYS = 0x407 + NT_ARM_PACG_KEYS = 0x408 + NT_ARM_PAC_ENABLED_KEYS = 0x40a + NT_ARM_PAC_MASK = 0x406 + NT_ARM_POE = 0x40f + NT_ARM_SSVE = 0x40b + NT_ARM_SVE = 0x405 + NT_ARM_SYSTEM_CALL = 0x404 + NT_ARM_TAGGED_ADDR_CTRL = 0x409 + NT_ARM_TLS = 0x401 + NT_ARM_VFP = 0x400 + NT_ARM_ZA = 0x40c + NT_ARM_ZT = 0x40d + NT_AUXV = 0x6 + NT_FILE = 0x46494c45 + NT_GNU_PROPERTY_TYPE_0 = 0x5 + NT_LOONGARCH_CPUCFG = 0xa00 + NT_LOONGARCH_CSR = 0xa01 + NT_LOONGARCH_HW_BREAK = 0xa05 + NT_LOONGARCH_HW_WATCH = 0xa06 + NT_LOONGARCH_LASX = 0xa03 + NT_LOONGARCH_LBT = 0xa04 + NT_LOONGARCH_LSX = 0xa02 + NT_MIPS_DSP = 0x800 + NT_MIPS_FP_MODE = 0x801 + NT_MIPS_MSA = 0x802 + NT_PPC_DEXCR = 0x111 + NT_PPC_DSCR = 0x105 + NT_PPC_EBB = 0x106 + NT_PPC_HASHKEYR = 0x112 + NT_PPC_PKEY = 0x110 + NT_PPC_PMU = 0x107 + NT_PPC_PPR = 0x104 + NT_PPC_SPE = 0x101 + NT_PPC_TAR = 0x103 + NT_PPC_TM_CDSCR = 0x10f + NT_PPC_TM_CFPR = 0x109 + NT_PPC_TM_CGPR = 0x108 + NT_PPC_TM_CPPR = 0x10e + NT_PPC_TM_CTAR = 0x10d + NT_PPC_TM_CVMX = 0x10a + NT_PPC_TM_CVSX = 0x10b + NT_PPC_TM_SPR = 0x10c + NT_PPC_VMX = 0x100 + NT_PPC_VSX = 0x102 + NT_PRFPREG = 0x2 + NT_PRPSINFO = 0x3 + NT_PRSTATUS = 0x1 + NT_PRXFPREG = 0x46e62b7f + NT_RISCV_CSR = 0x900 + NT_RISCV_TAGGED_ADDR_CTRL = 0x902 + NT_RISCV_VECTOR = 0x901 + NT_S390_CTRS = 0x304 + NT_S390_GS_BC = 0x30c + NT_S390_GS_CB = 0x30b + NT_S390_HIGH_GPRS = 0x300 + NT_S390_LAST_BREAK = 0x306 + NT_S390_PREFIX = 0x305 + NT_S390_PV_CPU_DATA = 0x30e + NT_S390_RI_CB = 0x30d + NT_S390_SYSTEM_CALL = 0x307 + NT_S390_TDB = 0x308 + NT_S390_TIMER = 0x301 + NT_S390_TODCMP = 0x302 + NT_S390_TODPREG = 0x303 + NT_S390_VXRS_HIGH = 0x30a + NT_S390_VXRS_LOW = 0x309 + NT_SIGINFO = 0x53494749 + NT_TASKSTRUCT = 0x4 + NT_VMCOREDD = 0x700 + NT_X86_SHSTK = 0x204 + NT_X86_XSAVE_LAYOUT = 0x205 + NT_X86_XSTATE = 0x202 OCFS2_SUPER_MAGIC = 0x7461636f OCRNL = 0x8 OFDEL = 0x80 @@ -2463,6 +2699,59 @@ const ( PERF_RECORD_MISC_USER = 0x2 PERF_SAMPLE_BRANCH_PLM_ALL = 0x7 PERF_SAMPLE_WEIGHT_TYPE = 0x1004000 + PF_ALG = 0x26 + PF_APPLETALK = 0x5 + PF_ASH = 0x12 + PF_ATMPVC = 0x8 + PF_ATMSVC = 0x14 + PF_AX25 = 0x3 + PF_BLUETOOTH = 0x1f + PF_BRIDGE = 0x7 + PF_CAIF = 0x25 + PF_CAN = 0x1d + PF_DECnet = 0xc + PF_ECONET = 0x13 + PF_FILE = 0x1 + PF_IB = 0x1b + PF_IEEE802154 = 0x24 + PF_INET = 0x2 + PF_INET6 = 0xa + PF_IPX = 0x4 + PF_IRDA = 0x17 + PF_ISDN = 0x22 + PF_IUCV = 0x20 + PF_KCM = 0x29 + PF_KEY = 0xf + PF_LLC = 0x1a + PF_LOCAL = 0x1 + PF_MAX = 0x2e + PF_MCTP = 0x2d + PF_MPLS = 0x1c + PF_NETBEUI = 0xd + PF_NETLINK = 0x10 + PF_NETROM = 0x6 + PF_NFC = 0x27 + PF_PACKET = 0x11 + PF_PHONET = 0x23 + PF_PPPOX = 0x18 + PF_QIPCRTR = 0x2a + PF_R = 0x4 + PF_RDS = 0x15 + PF_ROSE = 0xb + PF_ROUTE = 0x10 + PF_RXRPC = 0x21 + PF_SECURITY = 0xe + PF_SMC = 0x2b + PF_SNA = 0x16 + PF_TIPC = 0x1e + PF_UNIX = 0x1 + PF_UNSPEC = 0x0 + PF_VSOCK = 0x28 + PF_W = 0x2 + PF_WANPIPE = 0x19 + PF_X = 0x1 + PF_X25 = 0x9 + PF_XDP = 0x2c PID_FS_MAGIC = 0x50494446 PIPEFS_MAGIC = 0x50495045 PPPIOCGNPMODE = 0xc008744c @@ -2758,6 +3047,23 @@ const ( PTRACE_SYSCALL_INFO_NONE = 0x0 PTRACE_SYSCALL_INFO_SECCOMP = 0x3 PTRACE_TRACEME = 0x0 + PT_AARCH64_MEMTAG_MTE = 0x70000002 + PT_DYNAMIC = 0x2 + PT_GNU_EH_FRAME = 0x6474e550 + PT_GNU_PROPERTY = 0x6474e553 + PT_GNU_RELRO = 0x6474e552 + PT_GNU_STACK = 0x6474e551 + PT_HIOS = 0x6fffffff + PT_HIPROC = 0x7fffffff + PT_INTERP = 0x3 + PT_LOAD = 0x1 + PT_LOOS = 0x60000000 + PT_LOPROC = 0x70000000 + PT_NOTE = 0x4 + PT_NULL = 0x0 + PT_PHDR = 0x6 + PT_SHLIB = 0x5 + PT_TLS = 0x7 P_ALL = 0x0 P_PGID = 0x2 P_PID = 0x1 @@ -3091,6 +3397,47 @@ const ( SEEK_MAX = 0x4 SEEK_SET = 0x0 SELINUX_MAGIC = 0xf97cff8c + SHF_ALLOC = 0x2 + SHF_EXCLUDE = 0x8000000 + SHF_EXECINSTR = 0x4 + SHF_GROUP = 0x200 + SHF_INFO_LINK = 0x40 + SHF_LINK_ORDER = 0x80 + SHF_MASKOS = 0xff00000 + SHF_MASKPROC = 0xf0000000 + SHF_MERGE = 0x10 + SHF_ORDERED = 0x4000000 + SHF_OS_NONCONFORMING = 0x100 + SHF_RELA_LIVEPATCH = 0x100000 + SHF_RO_AFTER_INIT = 0x200000 + SHF_STRINGS = 0x20 + SHF_TLS = 0x400 + SHF_WRITE = 0x1 + SHN_ABS = 0xfff1 + SHN_COMMON = 0xfff2 + SHN_HIPROC = 0xff1f + SHN_HIRESERVE = 0xffff + SHN_LIVEPATCH = 0xff20 + SHN_LOPROC = 0xff00 + SHN_LORESERVE = 0xff00 + SHN_UNDEF = 0x0 + SHT_DYNAMIC = 0x6 + SHT_DYNSYM = 0xb + SHT_HASH = 0x5 + SHT_HIPROC = 0x7fffffff + SHT_HIUSER = 0xffffffff + SHT_LOPROC = 0x70000000 + SHT_LOUSER = 0x80000000 + SHT_NOBITS = 0x8 + SHT_NOTE = 0x7 + SHT_NULL = 0x0 + SHT_NUM = 0xc + SHT_PROGBITS = 0x1 + SHT_REL = 0x9 + SHT_RELA = 0x4 + SHT_SHLIB = 0xa + SHT_STRTAB = 0x3 + SHT_SYMTAB = 0x2 SHUT_RD = 0x0 SHUT_RDWR = 0x2 SHUT_WR = 0x1 @@ -3317,6 +3664,16 @@ const ( STATX_UID = 0x8 STATX_WRITE_ATOMIC = 0x10000 STATX__RESERVED = 0x80000000 + STB_GLOBAL = 0x1 + STB_LOCAL = 0x0 + STB_WEAK = 0x2 + STT_COMMON = 0x5 + STT_FILE = 0x4 + STT_FUNC = 0x2 + STT_NOTYPE = 0x0 + STT_OBJECT = 0x1 + STT_SECTION = 0x3 + STT_TLS = 0x6 SYNC_FILE_RANGE_WAIT_AFTER = 0x4 SYNC_FILE_RANGE_WAIT_BEFORE = 0x1 SYNC_FILE_RANGE_WRITE = 0x2 @@ -3553,6 +3910,8 @@ const ( UTIME_OMIT = 0x3ffffffe V9FS_MAGIC = 0x1021997 VERASE = 0x2 + VER_FLG_BASE = 0x1 + VER_FLG_WEAK = 0x2 VINTR = 0x0 VKILL = 0x3 VLNEXT = 0xf diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux.go b/vendor/golang.org/x/sys/unix/zsyscall_linux.go index 5cc1e8eb2f..8935d10a31 100644 --- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go +++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go @@ -2238,3 +2238,13 @@ func Mseal(b []byte, flags uint) (err error) { } return } + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func setMemPolicy(mode int, mask *CPUSet, size int) (err error) { + _, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(size)) + if e1 != 0 { + err = errnoErr(e1) + } + return +} diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go index 944e75a11c..c1a4670171 100644 --- a/vendor/golang.org/x/sys/unix/ztypes_linux.go +++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go @@ -3590,6 +3590,8 @@ type Nhmsg struct { Flags uint32 } +const SizeofNhmsg = 0x8 + type NexthopGrp struct { Id uint32 Weight uint8 @@ -3597,6 +3599,8 @@ type NexthopGrp struct { Resvd2 uint16 } +const SizeofNexthopGrp = 0x8 + const ( NHA_UNSPEC = 0x0 NHA_ID = 0x1 @@ -6332,3 +6336,30 @@ type SockDiagReq struct { } const RTM_NEWNVLAN = 0x70 + +const ( + MPOL_BIND = 0x2 + MPOL_DEFAULT = 0x0 + MPOL_F_ADDR = 0x2 + MPOL_F_MEMS_ALLOWED = 0x4 + MPOL_F_MOF = 0x8 + MPOL_F_MORON = 0x10 + MPOL_F_NODE = 0x1 + MPOL_F_NUMA_BALANCING = 0x2000 + MPOL_F_RELATIVE_NODES = 0x4000 + MPOL_F_SHARED = 0x1 + MPOL_F_STATIC_NODES = 0x8000 + MPOL_INTERLEAVE = 0x3 + MPOL_LOCAL = 0x4 + MPOL_MAX = 0x7 + MPOL_MF_INTERNAL = 0x10 + MPOL_MF_LAZY = 0x8 + MPOL_MF_MOVE_ALL = 0x4 + MPOL_MF_MOVE = 0x2 + MPOL_MF_STRICT = 0x1 + MPOL_MF_VALID = 0x7 + MPOL_MODE_FLAGS = 0xe000 + MPOL_PREFERRED = 0x1 + MPOL_PREFERRED_MANY = 0x5 + MPOL_WEIGHTED_INTERLEAVE = 0x6 +) diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go index 640f6b153f..69439df2a4 100644 --- a/vendor/golang.org/x/sys/windows/syscall_windows.go +++ b/vendor/golang.org/x/sys/windows/syscall_windows.go @@ -321,6 +321,8 @@ func NewCallbackCDecl(fn interface{}) uintptr { //sys SetConsoleOutputCP(cp uint32) (err error) = kernel32.SetConsoleOutputCP //sys WriteConsole(console Handle, buf *uint16, towrite uint32, written *uint32, reserved *byte) (err error) = kernel32.WriteConsoleW //sys ReadConsole(console Handle, buf *uint16, toread uint32, read *uint32, inputControl *byte) (err error) = kernel32.ReadConsoleW +//sys GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) = kernel32.GetNumberOfConsoleInputEvents +//sys FlushConsoleInputBuffer(console Handle) (err error) = kernel32.FlushConsoleInputBuffer //sys resizePseudoConsole(pconsole Handle, size uint32) (hr error) = kernel32.ResizePseudoConsole //sys CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle Handle, err error) [failretval==InvalidHandle] = kernel32.CreateToolhelp32Snapshot //sys Module32First(snapshot Handle, moduleEntry *ModuleEntry32) (err error) = kernel32.Module32FirstW @@ -890,8 +892,12 @@ const socket_error = uintptr(^uint32(0)) //sys MultiByteToWideChar(codePage uint32, dwFlags uint32, str *byte, nstr int32, wchar *uint16, nwchar int32) (nwrite int32, err error) = kernel32.MultiByteToWideChar //sys getBestInterfaceEx(sockaddr unsafe.Pointer, pdwBestIfIndex *uint32) (errcode error) = iphlpapi.GetBestInterfaceEx //sys GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) = iphlpapi.GetIfEntry2Ex +//sys GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) = iphlpapi.GetIpForwardEntry2 +//sys GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) = iphlpapi.GetIpForwardTable2 //sys GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) = iphlpapi.GetUnicastIpAddressEntry +//sys FreeMibTable(memory unsafe.Pointer) = iphlpapi.FreeMibTable //sys NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyIpInterfaceChange +//sys NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyRouteChange2 //sys NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyUnicastIpAddressChange //sys CancelMibChangeNotify2(notificationHandle Handle) (errcode error) = iphlpapi.CancelMibChangeNotify2 @@ -914,6 +920,17 @@ type RawSockaddrInet6 struct { Scope_id uint32 } +// RawSockaddrInet is a union that contains an IPv4, an IPv6 address, or an address family. See +// https://learn.microsoft.com/en-us/windows/win32/api/ws2ipdef/ns-ws2ipdef-sockaddr_inet. +// +// A [*RawSockaddrInet] may be converted to a [*RawSockaddrInet4] or [*RawSockaddrInet6] using +// unsafe, depending on the address family. +type RawSockaddrInet struct { + Family uint16 + Port uint16 + Data [6]uint32 +} + type RawSockaddr struct { Family uint16 Data [14]int8 diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go index 993a2297db..6e4f50eb48 100644 --- a/vendor/golang.org/x/sys/windows/types_windows.go +++ b/vendor/golang.org/x/sys/windows/types_windows.go @@ -65,6 +65,22 @@ var signals = [...]string{ 15: "terminated", } +// File flags for [os.OpenFile]. The O_ prefix is used to indicate +// that these flags are specific to the OpenFile function. +const ( + O_FILE_FLAG_OPEN_NO_RECALL = FILE_FLAG_OPEN_NO_RECALL + O_FILE_FLAG_OPEN_REPARSE_POINT = FILE_FLAG_OPEN_REPARSE_POINT + O_FILE_FLAG_SESSION_AWARE = FILE_FLAG_SESSION_AWARE + O_FILE_FLAG_POSIX_SEMANTICS = FILE_FLAG_POSIX_SEMANTICS + O_FILE_FLAG_BACKUP_SEMANTICS = FILE_FLAG_BACKUP_SEMANTICS + O_FILE_FLAG_DELETE_ON_CLOSE = FILE_FLAG_DELETE_ON_CLOSE + O_FILE_FLAG_SEQUENTIAL_SCAN = FILE_FLAG_SEQUENTIAL_SCAN + O_FILE_FLAG_RANDOM_ACCESS = FILE_FLAG_RANDOM_ACCESS + O_FILE_FLAG_NO_BUFFERING = FILE_FLAG_NO_BUFFERING + O_FILE_FLAG_OVERLAPPED = FILE_FLAG_OVERLAPPED + O_FILE_FLAG_WRITE_THROUGH = FILE_FLAG_WRITE_THROUGH +) + const ( FILE_READ_DATA = 0x00000001 FILE_READ_ATTRIBUTES = 0x00000080 @@ -2304,6 +2320,82 @@ type MibIfRow2 struct { OutQLen uint64 } +// IP_ADDRESS_PREFIX stores an IP address prefix. See +// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-ip_address_prefix. +type IpAddressPrefix struct { + Prefix RawSockaddrInet + PrefixLength uint8 +} + +// NL_ROUTE_ORIGIN enumeration from nldef.h or +// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_origin. +const ( + NlroManual = 0 + NlroWellKnown = 1 + NlroDHCP = 2 + NlroRouterAdvertisement = 3 + Nlro6to4 = 4 +) + +// NL_ROUTE_ORIGIN enumeration from nldef.h or +// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_protocol. +const ( + MIB_IPPROTO_OTHER = 1 + MIB_IPPROTO_LOCAL = 2 + MIB_IPPROTO_NETMGMT = 3 + MIB_IPPROTO_ICMP = 4 + MIB_IPPROTO_EGP = 5 + MIB_IPPROTO_GGP = 6 + MIB_IPPROTO_HELLO = 7 + MIB_IPPROTO_RIP = 8 + MIB_IPPROTO_IS_IS = 9 + MIB_IPPROTO_ES_IS = 10 + MIB_IPPROTO_CISCO = 11 + MIB_IPPROTO_BBN = 12 + MIB_IPPROTO_OSPF = 13 + MIB_IPPROTO_BGP = 14 + MIB_IPPROTO_IDPR = 15 + MIB_IPPROTO_EIGRP = 16 + MIB_IPPROTO_DVMRP = 17 + MIB_IPPROTO_RPL = 18 + MIB_IPPROTO_DHCP = 19 + MIB_IPPROTO_NT_AUTOSTATIC = 10002 + MIB_IPPROTO_NT_STATIC = 10006 + MIB_IPPROTO_NT_STATIC_NON_DOD = 10007 +) + +// MIB_IPFORWARD_ROW2 stores information about an IP route entry. See +// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_row2. +type MibIpForwardRow2 struct { + InterfaceLuid uint64 + InterfaceIndex uint32 + DestinationPrefix IpAddressPrefix + NextHop RawSockaddrInet + SitePrefixLength uint8 + ValidLifetime uint32 + PreferredLifetime uint32 + Metric uint32 + Protocol uint32 + Loopback uint8 + AutoconfigureAddress uint8 + Publish uint8 + Immortal uint8 + Age uint32 + Origin uint32 +} + +// MIB_IPFORWARD_TABLE2 contains a table of IP route entries. See +// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_table2. +type MibIpForwardTable2 struct { + NumEntries uint32 + Table [1]MibIpForwardRow2 +} + +// Rows returns the IP route entries in the table. +func (t *MibIpForwardTable2) Rows() []MibIpForwardRow2 { + return unsafe.Slice(&t.Table[0], t.NumEntries) +} + // MIB_UNICASTIPADDRESS_ROW stores information about a unicast IP address. See // https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_unicastipaddress_row. type MibUnicastIpAddressRow struct { diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go index 641a5f4b77..f25b7308a1 100644 --- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go +++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go @@ -182,13 +182,17 @@ var ( procDwmGetWindowAttribute = moddwmapi.NewProc("DwmGetWindowAttribute") procDwmSetWindowAttribute = moddwmapi.NewProc("DwmSetWindowAttribute") procCancelMibChangeNotify2 = modiphlpapi.NewProc("CancelMibChangeNotify2") + procFreeMibTable = modiphlpapi.NewProc("FreeMibTable") procGetAdaptersAddresses = modiphlpapi.NewProc("GetAdaptersAddresses") procGetAdaptersInfo = modiphlpapi.NewProc("GetAdaptersInfo") procGetBestInterfaceEx = modiphlpapi.NewProc("GetBestInterfaceEx") procGetIfEntry = modiphlpapi.NewProc("GetIfEntry") procGetIfEntry2Ex = modiphlpapi.NewProc("GetIfEntry2Ex") + procGetIpForwardEntry2 = modiphlpapi.NewProc("GetIpForwardEntry2") + procGetIpForwardTable2 = modiphlpapi.NewProc("GetIpForwardTable2") procGetUnicastIpAddressEntry = modiphlpapi.NewProc("GetUnicastIpAddressEntry") procNotifyIpInterfaceChange = modiphlpapi.NewProc("NotifyIpInterfaceChange") + procNotifyRouteChange2 = modiphlpapi.NewProc("NotifyRouteChange2") procNotifyUnicastIpAddressChange = modiphlpapi.NewProc("NotifyUnicastIpAddressChange") procAddDllDirectory = modkernel32.NewProc("AddDllDirectory") procAssignProcessToJobObject = modkernel32.NewProc("AssignProcessToJobObject") @@ -238,6 +242,7 @@ var ( procFindResourceW = modkernel32.NewProc("FindResourceW") procFindVolumeClose = modkernel32.NewProc("FindVolumeClose") procFindVolumeMountPointClose = modkernel32.NewProc("FindVolumeMountPointClose") + procFlushConsoleInputBuffer = modkernel32.NewProc("FlushConsoleInputBuffer") procFlushFileBuffers = modkernel32.NewProc("FlushFileBuffers") procFlushViewOfFile = modkernel32.NewProc("FlushViewOfFile") procFormatMessageW = modkernel32.NewProc("FormatMessageW") @@ -284,6 +289,7 @@ var ( procGetNamedPipeHandleStateW = modkernel32.NewProc("GetNamedPipeHandleStateW") procGetNamedPipeInfo = modkernel32.NewProc("GetNamedPipeInfo") procGetNamedPipeServerProcessId = modkernel32.NewProc("GetNamedPipeServerProcessId") + procGetNumberOfConsoleInputEvents = modkernel32.NewProc("GetNumberOfConsoleInputEvents") procGetOverlappedResult = modkernel32.NewProc("GetOverlappedResult") procGetPriorityClass = modkernel32.NewProc("GetPriorityClass") procGetProcAddress = modkernel32.NewProc("GetProcAddress") @@ -1622,6 +1628,11 @@ func CancelMibChangeNotify2(notificationHandle Handle) (errcode error) { return } +func FreeMibTable(memory unsafe.Pointer) { + syscall.SyscallN(procFreeMibTable.Addr(), uintptr(memory)) + return +} + func GetAdaptersAddresses(family uint32, flags uint32, reserved uintptr, adapterAddresses *IpAdapterAddresses, sizePointer *uint32) (errcode error) { r0, _, _ := syscall.SyscallN(procGetAdaptersAddresses.Addr(), uintptr(family), uintptr(flags), uintptr(reserved), uintptr(unsafe.Pointer(adapterAddresses)), uintptr(unsafe.Pointer(sizePointer))) if r0 != 0 { @@ -1662,6 +1673,22 @@ func GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) { return } +func GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) { + r0, _, _ := syscall.SyscallN(procGetIpForwardEntry2.Addr(), uintptr(unsafe.Pointer(row))) + if r0 != 0 { + errcode = syscall.Errno(r0) + } + return +} + +func GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) { + r0, _, _ := syscall.SyscallN(procGetIpForwardTable2.Addr(), uintptr(family), uintptr(unsafe.Pointer(table))) + if r0 != 0 { + errcode = syscall.Errno(r0) + } + return +} + func GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) { r0, _, _ := syscall.SyscallN(procGetUnicastIpAddressEntry.Addr(), uintptr(unsafe.Pointer(row))) if r0 != 0 { @@ -1682,6 +1709,18 @@ func NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsa return } +func NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) { + var _p0 uint32 + if initialNotification { + _p0 = 1 + } + r0, _, _ := syscall.SyscallN(procNotifyRouteChange2.Addr(), uintptr(family), uintptr(callback), uintptr(callerContext), uintptr(_p0), uintptr(unsafe.Pointer(notificationHandle))) + if r0 != 0 { + errcode = syscall.Errno(r0) + } + return +} + func NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) { var _p0 uint32 if initialNotification { @@ -2111,6 +2150,14 @@ func FindVolumeMountPointClose(findVolumeMountPoint Handle) (err error) { return } +func FlushConsoleInputBuffer(console Handle) (err error) { + r1, _, e1 := syscall.SyscallN(procFlushConsoleInputBuffer.Addr(), uintptr(console)) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func FlushFileBuffers(handle Handle) (err error) { r1, _, e1 := syscall.SyscallN(procFlushFileBuffers.Addr(), uintptr(handle)) if r1 == 0 { @@ -2481,6 +2528,14 @@ func GetNamedPipeServerProcessId(pipe Handle, serverProcessID *uint32) (err erro return } +func GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) { + r1, _, e1 := syscall.SyscallN(procGetNumberOfConsoleInputEvents.Addr(), uintptr(console), uintptr(unsafe.Pointer(numevents))) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func GetOverlappedResult(handle Handle, overlapped *Overlapped, done *uint32, wait bool) (err error) { var _p0 uint32 if wait { diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go index bddb2e2aeb..9255449b9b 100644 --- a/vendor/golang.org/x/term/terminal.go +++ b/vendor/golang.org/x/term/terminal.go @@ -413,7 +413,7 @@ func (t *Terminal) eraseNPreviousChars(n int) { } } -// countToLeftWord returns then number of characters from the cursor to the +// countToLeftWord returns the number of characters from the cursor to the // start of the previous word. func (t *Terminal) countToLeftWord() int { if t.pos == 0 { @@ -438,7 +438,7 @@ func (t *Terminal) countToLeftWord() int { return t.pos - pos } -// countToRightWord returns then number of characters from the cursor to the +// countToRightWord returns the number of characters from the cursor to the // start of the next word. func (t *Terminal) countToRightWord() int { pos := t.pos @@ -478,7 +478,7 @@ func visualLength(runes []rune) int { return length } -// histroryAt unlocks the terminal and relocks it while calling History.At. +// historyAt unlocks the terminal and relocks it while calling History.At. func (t *Terminal) historyAt(idx int) (string, bool) { t.lock.Unlock() // Unlock to avoid deadlock if History methods use the output writer. defer t.lock.Lock() // panic in At (or Len) protection. diff --git a/vendor/golang.org/x/text/unicode/bidi/core.go b/vendor/golang.org/x/text/unicode/bidi/core.go index 9d2ae547b5..fb8273236d 100644 --- a/vendor/golang.org/x/text/unicode/bidi/core.go +++ b/vendor/golang.org/x/text/unicode/bidi/core.go @@ -427,13 +427,6 @@ type isolatingRunSequence struct { func (i *isolatingRunSequence) Len() int { return len(i.indexes) } -func maxLevel(a, b level) level { - if a > b { - return a - } - return b -} - // Rule X10, second bullet: Determine the start-of-sequence (sos) and end-of-sequence (eos) types, // either L or R, for each isolating run sequence. func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence { @@ -474,8 +467,8 @@ func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence { indexes: indexes, types: types, level: level, - sos: typeForLevel(maxLevel(prevLevel, level)), - eos: typeForLevel(maxLevel(succLevel, level)), + sos: typeForLevel(max(prevLevel, level)), + eos: typeForLevel(max(succLevel, level)), } } diff --git a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go index 31c8d2f240..7e72d3c284 100644 --- a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go +++ b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go @@ -40,7 +40,7 @@ type Cursor struct { // Root returns a cursor for the virtual root node, // whose children are the files provided to [New]. // -// Its [Cursor.Node] and [Cursor.Stack] methods return nil. +// Its [Cursor.Node] method return nil. func (in *Inspector) Root() Cursor { return Cursor{in, -1} } diff --git a/vendor/modules.txt b/vendor/modules.txt index c657ef53fb..34c514e3dc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -166,7 +166,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/flags github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc +# github.com/openshift/api v0.0.0-20260116192047-6fb7fdae95fd ## explicit; go 1.24.0 github.com/openshift/api/config github.com/openshift/api/config/v1 @@ -181,7 +181,7 @@ github.com/openshift/api/operator/v1 github.com/openshift/api/operator/v1alpha1 github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests github.com/openshift/api/security/v1 -# github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a +# github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 ## explicit; go 1.24.0 github.com/openshift/client-go/config/applyconfigurations github.com/openshift/client-go/config/applyconfigurations/config/v1 @@ -236,7 +236,7 @@ github.com/openshift/client-go/security/clientset/versioned/fake github.com/openshift/client-go/security/clientset/versioned/scheme github.com/openshift/client-go/security/clientset/versioned/typed/security/v1 github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake -# github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884 +# github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 ## explicit; go 1.24.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/config/clusterstatus @@ -333,7 +333,7 @@ go.yaml.in/yaml/v2 # go.yaml.in/yaml/v3 v3.0.4 ## explicit; go 1.16 go.yaml.in/yaml/v3 -# golang.org/x/crypto v0.42.0 +# golang.org/x/crypto v0.45.0 ## explicit; go 1.24.0 golang.org/x/crypto/cast5 golang.org/x/crypto/openpgp @@ -346,8 +346,8 @@ golang.org/x/crypto/openpgp/s2k ## explicit; go 1.20 golang.org/x/exp/constraints golang.org/x/exp/slices -# golang.org/x/net v0.43.0 -## explicit; go 1.23.0 +# golang.org/x/net v0.47.0 +## explicit; go 1.24.0 golang.org/x/net/context golang.org/x/net/html golang.org/x/net/html/atom @@ -365,15 +365,15 @@ golang.org/x/net/trace golang.org/x/oauth2 golang.org/x/oauth2/clientcredentials golang.org/x/oauth2/internal -# golang.org/x/sys v0.36.0 +# golang.org/x/sys v0.38.0 ## explicit; go 1.24.0 golang.org/x/sys/plan9 golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/term v0.35.0 +# golang.org/x/term v0.37.0 ## explicit; go 1.24.0 golang.org/x/term -# golang.org/x/text v0.29.0 +# golang.org/x/text v0.31.0 ## explicit; go 1.24.0 golang.org/x/text/encoding golang.org/x/text/encoding/charmap @@ -398,8 +398,8 @@ golang.org/x/text/unicode/norm # golang.org/x/time v0.9.0 ## explicit; go 1.18 golang.org/x/time/rate -# golang.org/x/tools v0.36.0 -## explicit; go 1.23.0 +# golang.org/x/tools v0.38.0 +## explicit; go 1.24.0 golang.org/x/tools/cover golang.org/x/tools/go/ast/edge golang.org/x/tools/go/ast/inspector